Why cure when you can protect?

Discussion in 'other anti-malware software' started by Kees1958, Mar 24, 2007.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I agree totally.

    @dw2108

    The flaw isn't ssm, but the user. SSM will detect the manipulations, trick is for the user to not allow them.
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    For real time, kept on-demand (though I try bitdefender)
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    ON PC-1 we have SSM-free running with the UI disconnected. Wife uses PC only for Internet, music download.
    The setup without AV in real time only works on stable PC's. My wife's does not get asked to decide, the setup either it allows or blocks/denies (see first post).

    On the other PC (PC2) I did not remove Antivir because Antivir every now and then finds something (Son's a gamer and tries software). So I agree also

    Setup PC2
     

    Attached Files:

  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have not an SSM only, SensiveGuard takes care for the protection of files (when the malware was able to sneak by DefenseWall). So the above won't happen
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have a backup of everything on external harddisk, so anyone mention a website which is very dangerous. I tried all the key-gen sites, some russion maleare sites, no one was able to crack the defense as a drive-by.

    As mentioned earlier, a shoot in the foot in our set up is not possible because download/startup of excutables is denied.

    I would be happy to try. Post the site or send me a private message. I will try and honestly tell you what happened.

    Regards K
     
  6. herbalist

    herbalist Guest

    I stopped using anti-spyware apps a couple years ago. About a year ago, I stopped using a resident AV. I run SSM-free for process/activity control, Kerio 2.1.5 for traffic control, Proxomitron for content filtering, and DOS batch files to restore the registry. The combination has been completely effective. Should my protection ever fail for whatever reason, system backups will cure the problem, though I've never had to use them to cure an infection.
    I can't comment on disabling DefenseWall as I don't use it. As for SSM, I keep it running during all installs, along with the firewall and InCtrl5. All activity and traffic is monitored and recoreded for every install. Yes, registry changes are normal during an install or update, but I still want to know what gets changed. Too many apps change things they don't need to.

    Because all files, apps, and code are suspect until it proves otherwise, just not all for the same reasons. Something that's poorly coded, bloated, or calls home is just as undesirable as something that's malicious. Unless you know how to disassemble an app and are willing to take the time to do so, the only way to know how it will run on your system is to try it. If I don't like the app for any reason, the Inctrl5 report identifies all the new files and my batch files will restore the registry. If it's a big application, I use my backup images.

    What apps or methods you use doesn't matter, as long as you have the option to undo the changes without having to manually dig out a bunch of registry changes or waste time manually deleting hundreds of files.

    dw2108,
    Using SSM only is a bad idea. At the very least, add a good firewall, one that can control the internet access of system components. There's no reason for a user to lower the firewall, especially during an update or install. Software installs and updates are when your system is most vulnerable. If anything, that's the time to have all your defenses running. If an installer wants me to shut down my firewall, I want to know why.
    Rick
     
  7. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    I agree with the title of this thread...other then that I am still not yet ready to get rid of the AV and AT. Stuff can happen.

    I suppose Cyberhawk and/or SSM could substitute along with router or hardware firewall. :doubt:
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I think many of you are exaggerating the scope of non-signature based applications. HIPS are notorious for pop ups and even a single wrong click by user might be enough and such a single click is quite possible IMO.

    Regarding FDISR frozen snapshot, ok-- allow a single click on killdisk virus and it will tear all of the first defence in peices( never tried on frozen snapshot but I believe so, have tried on non-frozen one). FrozenSnapShot/ PowerShadow will not stop per session keylogging. Moreover I don,t want to loose my data on each reboot and I can,t bother to arrange my data before each reboot. I am on dial up and I like to keep even my internet history saved, for few days.

    I use HIPS, Behaves, Sandbox, Restore to Fresh Image etc all but still I keep running a good real time AV scanner. It runs in background without any slow down and updates in few minutes and does not hurt me at all. It gives me relief when I click on a HIPS pop up that I don,t even understand well. I can,t google now and then for these pop ups and don,t want to break up OS things while being so paranoid and I am still safe.

    BTW I do believe that with a single sig based AV and FW I will be safe as I do safe surfing. Next thing is Privacy..... well, let me say I believe there is no real privacy on www, so I don,t care so much about that( doesn,t mean that I don,t care at all).
     
    Last edited: Mar 25, 2007
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    More spice:

    Visiting malware sites, checking drive bys - you need nothing more than FF.

    All apps are suspect until proven otherwise - then use virtualization software. Best way to check.

    Mrk
     
  10. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Common sense: obtain software from known, legitimate vendor’s site.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The thing is, whenever you install an app, you never really know if it´s malicious or not, that´s why signature/heuristics based solutions will always be needed. The problem is that none of the av/at/as tools can identify all malware, so I did loose some confidence in them. Never the less, I still scan files over at VirusTotal, at least if they are under 5 MB.

    But normally speaking, when you do a bit of research and download an app that is more widely known, the chances of it being malware are slim. A second thing you can do is to execute it in a virtual machine and see how a certain tool behaves. Of course I know that more advanced malware can try to act "legit" on a VM, but from what I´ve read, most malware won´t run at all inside a VM.

    Also, a HIPS (on VM or real machine) can notify you of suspicious behavior, for example a simple text editor that wants to install a service/driver is strange stuff. But there are a lot of other apps who need to do suspicious stuff in order to work correctly, and if you trust them you will allow it. But I guess as long as your PC isn´t acting strangely, you haven´t really got anything to worry about. :shifty:
     
    Last edited: Mar 26, 2007
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Btw, currently I´m only using 2 realtime protection tools, namely ZA Pro and SSM Pro. A HIPS like SSM can of course save you from zero day/drive by attacks, that´s the main reason why I´m using it.

    I haven´t been using an anti malware scanner (realtime/on demand) for almost a year now. And that´s because the only 2 apps that I´m interested in are not really good enough based on my criteria. AntiVir gets on my nerves, and KAV is too expensive plus it can make the system a lot slower.

    I´m also not doing any on demand scans, they take way too long, and if my PC isn´t acting strangely I don´t see the need to do this. However, I do monitor my PC with tools like Process Explorer, Pserv, RK Unhooker etc. Perhaps I will also add Tiny Watcher to my setup, it certainly does look interesting. ;)
     
    Last edited: Mar 26, 2007
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Lean, mean, clean and speed is my motto.

    C: drive partition is 8 gig in size - XP pro with Office 2003 components - word, excel and powerpoint.

    Sandboxie, Powershadow, Icesword and PC tools firewall as my only security with ghost images on E: partition.Coupla maintenance tools such as Ccleaner, Perfectdisk and Regseeker.Also a hardware firewall so I only need one of the lightest software firewalls for outbound control.

    I have used Bold Fortune's slimming XP guide to get rid of mainly the larger useless files and folders from C drive which now runs at a total of 894 meg of data.

    On the rare occassions I do a free online check of C: drive with Kav or one of the others it doesn't take long at all to do a scan which never find a thing.

    Perfectdisk smartplacement defrags take around 20 secs and Ghost images around 3 mins which includes an integrity check.

    I can restore from an image in less time that it takes some machines to boot.

    D: partition - 120 gig - is where I keep pics,flicks,music and personal stuff.

    There is only one other security app I would like to add and that is Defensewall but I only deal in cash or beer and I won't post any bank details online.

    The new Neoava Guard sounds interesting but doesn't seem to be released as yet.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The funny thing is, even when I´m using a signature/heuristics based solution, I find myself not completely trusting them because I know how often AV/AT/AS can´t spot/identify malware. So I end up scanning the file at VirusTotal anyway. It got me thinking, why use a scanner in the first place? It does give a bit peace of mind, but you can never be sure if your scanner is right or wrong. :rolleyes:

    Btw, I would also like to add a sandbox/virtualization tool to my realtime setup (like BufferZone, Sandboxie and DefenseWall) but I´m afraid they are all not quite good enough.

    I do currently use SBIE on demand, it´s very handy when you quickly want to check out tools, and if certain tools do not install correctly, it´s an indication of how deeply they want to install themselves into the system. It would be cool if you could easily track file/registry changes that a sandboxed tool made, I´m not sure if this is possible yet.
     
    Last edited: Mar 27, 2007
  15. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    I have been running without an antivirus for the past four weeks and have yet to be infected with anything of consequence. Time will tell for a period of one year. Although, I acknowledge the limitations of such scanners, for peace of mind I continue to run an occasional weekly scan with A-Squared, AVG AntiSpyware, CounterSpy v2.0, NOD32 and SuperAntiSpyware. After experimenting with various security applications over the past eighteen months, I have come to the conclusion that, at the very least, a set-up that consists of a software firewall, real-time process memory scanner and application sandbox with little or comprehensive virtualization offers simple, strong and reliable protection. Lastly, I have posted links to articles below that present food for thought regarding the use of antivirus programs.

    http://www.computerworld.com/action...ewArticleBasic&articleId=9002695&pageNumber=1
    http://prweb.com/releases/2007/1/prweb499085.htm
    http://download.microsoft.com/downl...7f-b760-ee2421df294a/WindowsRemovalToolWP.doc
    http://www.zdnet.com.au/news/securi...efeats_antivirus/0,130061744,139263949,00.htm
    http://www.eweek.com/article2/0,1895,2040760,00.asp
    http://www.businessweek.com/technol...7.htm?chan=top+news_top+news+index_technology
    http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9010460
    http://www.securityfocus.com/news/11446
    http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx
    http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss407_art803,00.html


    Peace & Love,

    CogitoErgoSum
     
    Last edited: Mar 26, 2007
  16. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    But in eleven years of using a pc and downloading masses of software from known, vendor's sites I have never encountered anything malicious this way. So is this a fluke? I don't think so. The only times (2) I've encountered malicious software was when I ventured into warez and P2P territory. Those days are long gone ;)
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't use a frozen snapshot to protect my computer against malware.
    I use a frozen snapshot to REMOVE all possible malware, because scanners can't do that. Scanners give you only a reassuring psychological message "Congrats, your computer is clean" to comfort your mind, but that doesn't mean your computer is clean.

    I still need a group of security softwares in my frozen snapshot to save the day, because a frozen snapshot is unable to do this.
    As I said so many times, separate problems from one another if you want to solve them.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    froop.exe is analysed by Prevx1, if not flagged by heuristics, maybe the comunity, and then cleaned if malware (since it monitored all events, or hopefully).

    DefenseWall and SandboxIE are there to give the user control. I install and save what i want, nothing else.

    And of course, what's the fun without some HIPS? At least execution protection, it's oh so cool:D
    I think SSM installed on a clean computer can be of good help, it would function as an alarm. It's up to you to see if there are burglars, not SSM.

    Even cooler is trying to set up "Linux", but that's another chapter.
     
  19. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    I'm sure everyone here at Wilders does that right?

    Nobody ever runs off and try some new cool HIPS or app that someone just posted right?

    of course there is vmware and spare machines for all that....

    Honestly, these days I'm not really worried that someone will hack me from the outside. You will have to do so some silly stuff for that to happen.

    I'm not too worried about being nailed by some browser exploit or something too, but I suppose if I were, I would run it sandboxed.

    Realistically speaking, I think for me the greatest threat is that I go download and install some new software (or even new upgrade) that turns out to be compromised. Sure I know I'm supposed to run it in vmware or something but sometimes I'm lazy and sometimes, even running it in vmware does not give you an indication something is wrong.

    E.g if the software is actually a rootkit, you could run it in your vm for weeks without you noting anything is wrong then you decide not to mess around further as it's 'safe' and install it on your real machine...

    So yeah I could forsee going without AV but it would take some work.

    1) Sandbox all internet facing software.

    2) Run all software that isn't from a reputable known company in VM.

    That would handle the bulk of the threats really. SSM/Sensiveguard and all that is really for the paranoid, who want to handle cases where somehow someone breaks through and starts running stuff, deleting/replacing your files etc. And even then as many have pointed out, it depends on the user being able to realise something is wrong.
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Devil's Advogate,

    My son turned out to be a gamer and a script kiddy. He strolled the internet and when he could break in to someone's PC he left a message "your friendly hacker was hear, close port 9999". I only found out when he hacked the wrong guy and that guy decided to return the favour. At that time my wife was working on her PC with only Windows firewall and AVG-free antivirus. Maybe because he found an encrypted folder (software provided by her work), he formatted the harddisk.

    So yes I became paranoid, with a hardware firewall, DefenseWall sandbox, SSM and SensiveGuard for an extra second and third defense layer and external harddrive for backups/recovery.

    My wife is a HR-advisor and has confidential data on her PC occasionally when she works at home. These documents and the loss of photo's made me carefull (maybe paranoid). I know script kiddies can not break in, I still think professional hackers will find a way in. My son is only allowed to game now, so I do not think he could spring of somebody's anger to return favours.

    Her PC is completely 'sealed' with SSM UI disconnected, SensiveGuard denies or allows does not ask, DefenseWall is quite by nature, so I am not worried about a 'shoot in the foot' decision of the PC-user.

    Regards K
     
    Last edited: Mar 27, 2007
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ CogitoErgoSum

    In the past few years I´ve read almost all of these articles, and it really makes you wonder if it´s worth paying money for signature scanners. I mean, even if the best scanners may identify 80% of all malware in the wild, there is still a chance they might miss something. :rolleyes:

    @ cprtech

    I agree, like I said before, when you don´t download cracks and do a bit of research before downloading stuff, normally you shouldn´t have any problems. I have also downloaded quite a few apps in the last few years and I don´t think that I have ever encountered malware.

    @ DA

    Yeah, you never really know for sure if an app is malicious or not, when you think about it, it´s almost ridiculous the way the whole system works. Would be cool if someone could build a non infectable OS. Of course this is not possible due to the nature of software, I think.

    But perhaps in the future, virtualization technologies integrated into the OS can make computer life a lot easier and saver. What if you could split your OS into various sandboxes and could switch to another "OS sandbox" in only seconds? So you could run a new videogame in a sandbox and even if it´s malicious it wouldn´t be able to hurt your real system.
     
    Last edited: Mar 27, 2007
  22. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Vista already have it. And I need to say- this makes OS more vulnerable. Why? Because I may modify kernel32.dll and it will be stored within VirtualStrore folder and used by other low-privileged programs (that is default working mode). Or wininet.dll. And you won't see it, because it is stored not within the folder you look at.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Ilya

    Of course I am hoping that this new OS virtualization will be very robust, it should not be easy exploitable, no Blue Pills and stuff. And I´m not talking about Vista´s virtualization, I´m talking about stuff like Xen and Virtuozzo. Of course I´m hoping that this technology will be improved in the coming years, it should become faster and more secure. But 100% security doesn´t exist, all tools have their flaws. :rolleyes:

    http://www.swsoft.com/en/virtuozzo
    http://en.wikipedia.org/wiki/Xen
     
  24. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    I agree as well. In fact, the real computer savvy users cna get away with minimal to know protection.

    Unfortunately, I do not fall into that category and I am looking for the maximum protection that puts the least number of decisions is my hands and at the same time makes the right decisions and allows functinality of the machine without too much of a drain on resources.
     
  25. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    Hi.

    If I don't know what these entries are, I will naturally allow them (because I usualy allow everything during installations, so why not now), and I will get infected. My system is dead and I feel like an idiot. So I am taking my backups and I am restoring my system and my data, end of story. But getting infected has another purpose besides the obvious negative one: I am one step higher on a lerning curve. I have learned my lesson, and I am twice the wiser man now (well, assuming that I was reasonably itelligent initially). I know now what HIPS is and what kind of havoc can it summon if I don't learn how to use it properly. I am starting to read about security and to learn more. I find Wilders and register with it and learn some more. And of course, I am still learning, this is a perpetual process, and no matter how savvy I am, there is a fair possibility that some hideous monster, unknown yet to mankind, can destroy my system any minute (there are unkown monsters in the wild). Now, I'm not saying that the learning curve has to be a path covered with thorns, this is of course the hard way. But I believe that we all have a horror tale to tell, whether it is out of personal or second-hand experience.

    Greets.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.