SSM Firewall Enough

I suppose one could run AntiHook for some .dll injection protection. That with the SSM should be adequate. I think the setup would beat the leaktests and defeat the spyware and malware. The antivirus should be doing it's job. Both together are actually light on the PC. The learning mode or fingerprint mode for two weeks or so on a perfectly clean PC would be okay.

It does just boil down to the user's preferences of firewalling. Either the heavy duty firewall wilth absolute control or just some simple firewalling and a secure pc on the inside. Each to their own.

12fw

 

Sure,

To be absolutely sure, you could run CyberHawk and PrevX1 side by side.
In two weeks you should have touched nearly everything when using the PC regularly.

Only exception you have to make is your AV. Reason for this is that Antivir for instance every now and then updates the AV-application it self. Problem with AV-updates is that they update from a temporary directory with a new name (usually the release number). To overcome this, I have enabled the "Don't check MD5" for my AV-guard and manually changed the rules for the Update.exe to "Allow this process to start any unclassified process".

SSM-FREE protects against process modification and physical memory (the latter is not covered by Antihook as fas as I know). SSM paid and Antihook give a more granular control on parent-child process control and hook setting/protection. I have used SSM paid (got it free from giveawayoftheday), but preferred the less granular control of SSM-free. SSM-free also allows you to add additional registry monitoring. I have added the registry entries in the free version which are also mentioned by RegRun (you could also have a look at the entries MJ regsitry Watcher monitors).

Regards Kees

 

After going the highly-configured route, you have expressed exactly how I feel. I now feel better with my new, "lighter" configuration. Thanks again!

 

~Personal view/comment

As mentioned, not everyone wants to config a firewall that gives popups for every port/protocol used/wanted for an application.

From my point of view of being behind a router on a LAN that is fully trusted,.. well this for me depends on the internet access (for my app`s) involved, the programs I use, and what I install on my PC.
I look at my own setup / personal use,... I use only a browser (currently FF with noscript/refcontrol) and a mail client(currently thunderbird). My LAN is now only used by myself, and the PC`s I place there. I believe I can easily use only SSM (or similar) for internet access.

Explanation:
I have DHCP/ DNS clients disabled (I do not need them, I use fixed IP on LAN), services such as winTime (etc) are disabled , this means I have no need to allow svchost direct internet access. But cutting it short (dont want to bore),.. the only internet access I need to allow through SSM is for my Browser(allow trusted/untrusted) and for my mail client(trusted). This is because I place my DNS/mail servers into the "trusted" IP`s of SSM). I do not install any software unless from the Vendor, (OK, some degree of possible problem, depending on the vendor). The allowed installation of a program can simply corrupt your security.

Dont be mistaken, I am not here to tell/talk you/anyone into using a firewall, I joined here to help users with problems with firewalls.

But I must admit, I have tested many firewalls, I have not yet tested a router/firewall.(todo list)

Just my personal bit

 

Stem, a few questions

Could you explain what you have done to "put your DNS/Mail server into the trusted IP's of SSM".

I have currently DNS/DHCP enabled, what is the disadvantage of putting fixed IP numbers in my wireless clients? The DNS/DHCP service always gives the same client the same IP addres. I have MAC adress control on fixed IP numbers, anyway so I could easily set in teh IP adresses myself? Reading your explanation, it seems to make things more easy to secure when you use fixed IP adresses (after all at home we are in a lan with a maximum of four clients, so I do not have a large network to manage).

Thanks

 

Hello Kees1958,
For trusted IP`s in SSM, simply go to the "Network" tab and "Add address"

As for DNS/DHCP. I fix these simply to stop giving svchost any direct internet access. (The registry is protected from alteration)

 

Stem thx

I should have kept SSM paid when it was for free on giveawayoftheday. I am using SSM-free, so no wonder I could not find it.

So when I enter a static IP addres, subnetmask, DNS server etc, scvhost should not initiate outbound traffic anymore?

Do I also need to disable the time synchronization service?

Regards Kees

 

Hi Kees1958

I think what is meant by Moderator Stem, is the svchost does go internet, but it is "locked" to the correct servers. Doing what Stem mentioned prevents the DNS spoofing and malware from using svchost as it's own servant.

Disabling Time Synchronization Service eliminates a vulnerability of Windows. If left on, the svchost will listen to the port 123 and can be a vulnerability.

Background Intelligent Transfer can be set to manual. It too can be a vulnerability.

Usually before patch Tuesdays, I reset the some of the services and manually check reset the time and do the updates. After that is finished, I disable them again.

Blocking the BIOS, DCOM and IRC ports in the router is an extra. This is an easy way to help secure the PC with a hardware firewall. Still, the PC is harden, but this is an added security measure.

12fw

 

Stem will probably clarify, but the above means that svchost truly has no Internet access. DNS client is disabled so the individual network accessing applications do the dns lookups – not svchost. Using a static ip also takes svchost out of the equation because dhcp is not required to routinely assign ip addresses. The ip is fixed for good, unless he feels like changing it, in which case he would do that manually. No time service means no Internet access for svchost either.

You are welcome

 

Yes, I disable all internet related service`s for svchost. DNS/ DHCP/ Computer browser / widows time etc. This way svchost as no direct internet need, so I can place a block on its internet access. If I decide to make a windows auto-update (I normally make manual updates) I would then start the windows update sevice, and set the windows "Bits" service to manual.