What is your security setup these days?

At last Safe-Admin on Windows 7 is as good as with Vista, running Windows 7 x 32 Ultimate

Real time
1. Border medium rights (LUA) to high (Admin)
a) UAC full
- Disabled installer detection
- Only allow signed applications to elevate
b) Beyond trust power broker, run as LUA (unable to elevate)
- Internet facing aps (IE9, WMP, Mail)
- Office 2003 programs (Word, Excel, Powerpoint)
c) Virtualizing WMP MAIL through RUNASINVOKER (also set WMP and MAIL with mandotory Medium rights with no write up through CHML.EXE)

2. Medium rights world protection (also applicable for admins and untrusted users )
a) Deny Execute for all users
- For all drives containing data (D, E) through icacls.exe
- For Download directory, Program Auto start and Public Users directory through icacls.exe
- For Local intranet and Restricted sites zones through SRP
- For USB drives through SRP
b) Drive by protection for Mail and Browsers (IE9 and Chrome)
- 1806 default deny block of downloaded executables (removable with right click properties)
- This closes gap for all unsafe user directories on C-drive (e.g. Users\Kees\etc)
c) Taken away write access of all HKCU autorun entries for users with REGIL.EXE (only admin may change them)

3. Border from low to medium rights
a) Running IE9 hardened through Group Policy (no user changes allowed, forced in zone and allways running Protected Mode)
b) Running Chromium with --safe-plugins switch (Chromium is unsigned has internal sandbox containing tabs in low rights, job objects and alternate desktop = total isolation), using McFee site advisor extension

4. Windows FW 2 way

5. EMET 2.1
- Internet Facing: E9, Chrome, Mail, WMP
- Office Aps: Word, Excel, PPT
- Acrobat Reader

On demand
1. Antivirus scans
a) Hitman Pro
b) Bitdefender extension for Chrome
c) Jiotti upload for Chrome

2. Backup
a) Paragon for Image Backup
b) Syncback for Data Backup


Third Party real time BTSERVICE (of Beyond Trust) uses less than 0.001 percent of CPU capacity (so not complete Windows only ), using UAC full (have allowed CCleaner, Auturuns, ProcesExplorer, Paragon Image Backup and HitmanPro to elevate without prompt through Beyond Trust Power Broker). When I want to install an application I move it to Temp and remove 1806 block (got all the flexibility of running admin with LUA/denny execute security), check it with HMP and Jotti

Links for background info
1. Beyond Trust see
- https://www.wilderssecurity.com/showpost.php?p=1916011&postcount=1
2. Safe-Admin see
- https://www.wilderssecurity.com/showpost.php?p=1852017&postcount=2
- https://www.wilderssecurity.com/showpost.php?p=1852018&postcount=3
- https://www.wilderssecurity.com/showpost.php?p=1852024&postcount=5

 

I came here to report the same thing, and saw your post.
I disabled MBAM real-time as I felt it had slowed down browsing and boot time.
I hate taking it out of the real-time mode, but I still have it update every hour and scan once a day.
I'll probably enable it again one day before too long.

 

What do you mean by alternate desktop? how do you do it?
Paragon. Is it free?
I'm copying your setup and add trusteer rapport

 

Those who got the info got the knowledge. Or something like that.

Go here http://www.chromium.org/developers/design-documents/sandbox

Read it... Then re-read it, just to assimilate it further.... Read again, if you must.

One more link: http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html

 

windows xp sp3:
panda+pirvatefirewall+spyshelter free

other machine :
windows 7 x64

Avast free everything high
Prevex free high
Mamutu
MBAM trail it will end in five days
Comodo Firewall
secunia
Sandboxie free

Lua +emet +SRP

Firefox + noscript,trafficlightbeta ,

On demand MBAM ,SAS ,hitmanpro

so what do you think

 

Yep all free, paragon and syncback

M00nbl00d gave you the links: it is all chrome / chromium default protection, they really achieved total isolation, also their javascript engine is supurb, see explanation of hidden classes http://www.youtube.com/watch?v=hWhMKalEicY


I also think Chrome has great scripting protection (off course someone who makes a living out of blocking scripts will disagree ) and constanly is improving the browser for it

http://chromestory.com/2010/10/xss-...o-add-more-security-to-google-chrome-inbuilt/

Also in newest chrome warns for the dangerous content for scripts
http://news.softpedia.com/news/Chrome-14-to-Block-HTTPS-Mixed-Scripting-by-Default-206738.shtml

http://www.itnews.com.au/News/261012,google-to-kill-man-in-the-middle-attacks.aspx

But then again I am a security minimalist , so don't take my word for it

 

Real-Time:
Avira Antivir Personal with Guard scanning only "downloads" partition (Number of files scanned 0 unless I download anything)
Sandboxie (For Firefox with delete contents, internet/start restrictions, drop rights and only able to read my windows partition)

On-Demand:
Avira Antivir Personal (Active processes daily scan)
MBAM (Daily scan)
Hitman Pro (Just in case)

Misc:
EMET
Norton DNS
Secunia PSI
Macrium Reflect Free

 

No Realtime AV and FREE Security Setup​

• Windows 7 Profesional SP1 32-bit
  
  
  • System Partition, Data Partition (storage),
  • Microsoft Baseline Security Templates, Software Restriction Policy (SRP), UAC set to highest, EMET and 1806 trick (3)
  • deny Everyone from executing on data partition and download directory, userpace including desktop
  • disabled unnecesary services (ie. print spooler, windows search, windows defender)
  • Macrium Reflect FREE (Sector-by-Sector image backup)
    
    
    • OpenDNS / OpenDNS FamilyShield
      
    • MVPSHOST
      
      
    • Trusteer Rapport
      
      
    • Mozilla Firefox (5.0.1) (explicit low-integrity via icacls)
      • Noscript
      • Adblock Plus
      • HTTPS-Everywhere
      
      
    • PowerBroker FREE Edition
      
      
    • Hitman PRO (on-demand scanning)
      

Thanks Kees1958, m00nbl00d
I replaced Chrome with Firefox because I really like Noscript

 

Konata,

M00nbl00d knows a trick to run unsigned programs elevated (he also uses a batch file to switch on/off cmd + batfiles through registry)

After implementing this you are officially a member of the SMK-club (Guess we will have to call it SMK2 now, Sully, M00nb00d Konata and Kees)

 

I only install browser, bittorrent, media player, IM, Steam and watch movies
I don't elevate unsigned apps

btw after installing powerbroker, my sandboxie broke


haha SMK2!
*makes his SMK2 avatar now*

 

thats a very good setup konata

 

thanks. but I don't think so.. I'm still not satisfied with it

 

Page42 i love Mbam Pro but with OA++ it slow down my browsing session and boot up too maybe in the next realease it will be better

 

What's odd is that enabling real-time protection in MBAM does not seem to make any difference performance-wise right away. It seems to creep up over time until I really notice the drag on the system, and then disabling MBAM real-time protection and IP blocking makes for a dramatic speed increase.

 

Trend Micro Titanium Antivirus +, Zonealarm Firewall and Windows 7

 

page42 same here

 

i configure my Nat Router firewall on high and other restictions and NoVirusThanks is rocking and rolling in my xp system and OA++ in my win764

 

Thanks for that confirmation.
I wonder if the MBAM people are aware of this?
I mean, the slowdown is one thing, but the gradualness of it seems so hard to explain.

 

I thought about getting it, but this seems like a a good reason to hold off and stay with the free version for the time being.

 

Except the license is lifetime, and your setup may not produce these same results.

 

From what I've read it's not uncommon and I see no reason to believe I will be the exception. Also Avira's forum recommends it's use as on demand only. There is a thread on the Avira forum developed by a couple of mods, kind of like Blackspears recommendation setup for NOD 32.

 

Avira and MBAM when both with active guard on, they definitely slow down my system, not much but it is noticeable. As I'm using Sandboxie I have them both on demand (by all means Hammer, I'm not trying to convince you to get Sandboxie!). I've also tested MBAM alone with active guard on, the system didn't seem to be affected although I've only had it on for a few hours.

 

rock and roll is good but dont fry ur system though

 

I also use a batch file (rather two batch files) to switch between medium and low IL for %AppData%\Local\Temp folder. The batch file that applies the Low IL, applies it without inheritance.

When I want to download something, I just need to run the batch file to set the low IL, and then the other one to set the IL back to medium.