What options are there for x64 Windows 7?

Hi everyone. I'm sorry for this rather opened-ended question, but I've been trying to research security options for Windows 7 Professional 64-Bit version, and my head is starting to spin I've come across so many complications.

To start with, I use my machine for communication (email, IM, voice), light word processing, music, and a heavy amount of gaming. I built the machine to be a gaming rig, so Steam gets a lot of use on the machine. I browse using Opera, with Javascript activated on a white-list only basis. I run ESET NOD 32 v4, though I admit I'm also using the built-in Windows 7 Firewall. UAC has been bumped up to maximum. Weekly I scan with MalwareBytes Antimalware and Spybot S&D, and I use Spybot's immunize feature.

Lately I've come to realize that realtime A/V is not sufficient for security. I haven't been hit with any nasties yet (knock on wood), but from threads around the net I gather that a sandboxing, virtualization, or HIPS solution is necessary for any sort of real security these days. There are just two problems. One: I'm a dunce, and can't get my head around what might be best. And Two: x64 Windows 7 can't use some of the best security software! Patchguard seems to make it a very difficult prospect to get any kind of security on a Windows 7 x64 machine.

So I appeal to you, who are more knowledgeable than I. Very often I wind up running programs that demand UAC permissions (EVGA Precision to modify fan speeds, Process Explorer to see what's up in the backgroun). Also, Steam and its ilk auto-patch themselves on a regular basis. I gather this means that whatever solution I settle on, it's going to need to keep some of the files transferred automatically, and also have admin permissions accessible to some user-launched programs on a regular basis.

I'm sorry if that's all very vague, but I fear I'm not terribly up to date or savvy about what might be the best option for x64 Windows 7 that won't be completely annoying or conflict with my already-install security options (As a final note, I'd like to keep NOD around - I'd just like something on top of it).

Thanks!

 

Prevx 3.0 supports Windows 7 x64 and is likely to get along with your AV. You can install it for free in monitoring mode and assess how it behaves before making a decision about a license. There's a lot of talk about Prevx on Wilders - if you're not familiar with it do a search for discussion threads.

 

I'll be honest with you. Unless your surfing p@orn or downloading torrents (which i'm sure a lot of us do but won't admit...you know who you are ) you should be good as gold. I know a lot of us (including me) are anal about security. You defintely sound like the type that doesn't just click on anonymous links in email just install any software you don't trust. If your doing any of the activities above just install linux in a virtual machine (virtual box if you want free) and youll be good to go. Might want to scan the files with virustotal before you use them though. Most people who surf the internet and have common sense are perfectly fine with just windows firewall & Microsoft Security Essentials. I don't use NOD but ive heard some good things about it.I myself use NIS 2010 and am perfectly happy with it. If you can go into details (if you have it) how you got infected we could maybe offer some more recommendations.

 

i tested norton antivirus today and it missed 2 malware this malware if install with out a vm ware the system is very infected

 

I agree with Victek123 regarding Prevx 3.0. Also, the SafeOnline Browser Security add-on for Prevx is now x64 compatible as well.

For virtualisation, Returnil RVS 2010 and Shadow Defender are both Windows 7 x64 compatible. Both are great applications for sandboxing Internet facing programs such as browsers. They are also good for testing software that doesn't require a reboot. They are slightly different in terms of features and pricing, so it's best to try them both before deciding.

 

Goodness, I didn't get infected! Not to my knowledge, anyhow. I'm just super paranoid about getting infected. Rootkits scare the holy-living garbage out of me, and so do keyloggers. It seems that these days the threats that are out there depend less and less on user intervention, and somehow manage to infect systems without any input on the part of the person behind the keys. I'm very worried about the recent rash of attacks launched through trusted sites. I don't point my browser in any direction that I'd consider nasty or dangerous (I'll use a mac or linux for that if I have to), but I use my Windows box for light browsing (mostly gaming sites/forums), gaming, and IM. I just want it to be as secure as possible.

Thanks to everyone for the suggestions! I'm probably going to check into each of them soon. Prevx seems very appealing for being able to run along side NOD, but I'm a little unsure of what it does. I'll check around the threads, though. Thanks for that tip.

As for Returnil RVS 2010 and Shadow Defender - Is it possible to only Sandbox certain programs? I'd love to sandbox my browser / IM client, but I don't want programs like Steam to get sandboxed, because Steam needs to retain files it auto-downloads. Come to think of it, I'd like my IM client logs as well. I probably just need to do a bit more research, but these are excellent starting points. Thanks to everyone for the advice!

 

Before doing anything I would suggest looking at limited user access and policies. You have a very nice OS there in 64bit Win7 and there is a lot one can do in tying down the system before adding anything to it.

 

FYI you don't have to be so concerned with rootkits with x64.

 

I would also say Prevx for 64bit!

TH

 

Prevx

 

If you haven't already seen it, this review by PC Mag may be of interest: http://www.pcmag.com/article2/0,2817,2346861,00.asp

No, it's not possible to only sandbox certain programs. RVS and SD virtualise whole partitions, not individual applications. With RVS, virtualisation is supported only for the system partition (usually the C: drive). With SD, both system and non-system partitions can be virtualised. In practice this difference doesn't matter, as RVS also has a file protection feature that can be used to protect files and folders on non-system partitions from modification. Both progams have features to allow individual files and folders to be saved to the real file system while virtualisation (called Shadow Mode by SD) is active.

With RVS, the RVS File Manager can be used to define a list of files and folders to be saved to the real file system on demand when the virtual mode is enabled. You must remember to do this before rebooting though or you lose any changes, which makes File Manager a little inconvenient to use. The free version of RVS does not include File Manager. The ability to save individual files and folders while virtual mode is enabled is only available in the paid version, which requires an annual subscription.

With SD, an exclusion list of files and folders to be excluded from Shadow Mode can be defined. Unlike RVS, the exclusion from protection is automatic. All changes to excluded files and folders are made directly to the real file system, so you don't have to remember to save files and folders before exiting Shadow Mode. There isn't a free version of SD, but the SD license is a one-time payment with future updates included (similar to Sandboxie).

From what you've said, SD sounds like it may be a better fit to your requirements, but it's still best to try both to see which you prefer.

EDIT: Both RVS and SD require a reboot to exit the virtual mode, which makes them less convenient to use than Sandboxie. Unfortunately, it is unlikely that there will ever be an x64 version of Sandboxie due to the restrictions that Patchguard places on the Windows kernel.

The differences between RVS and SD have also been discussed in this thread: https://www.wilderssecurity.com/showthread.php?t=260115

 

Comodo has a 64-bit firewall and that works great for me. Prevx 3.0 (64-bit) is also excellent and pretty much never interferes with other AVs installed on the system.

Along with the existing Eset Nod32 they will provide pretty comprehensive and unbeatable security.

 

They are possible and not so hard to achieve.

 

Anti-virus:
3 Big A's (Avira, avast!, AVG)
Norton
ESET NOD32


Anti-malware:
a-Squared Anti-Malware
MBAM
PrevX


Firewall:
Comodo IS


Virtualization:
Returnil 2010
ShadowDefender


Sandbox:
GeSWall

 

GeSwall dosen't support 64-bit OS yet.

 

PC Tools Firewall Plus 6 is also x64 Windows 7 compatible and stands alongside Comodo Internet Security. Both are excellent choices.

It's a moot point whether or not GeSWall should be called a sandbox since it restricts by policy, not isolation. The vendors of GeSWall explicitly reject the notion that GeSWall is a sandbox for precisely this reason. See the following GeSWall FAQ: http://www.gentlesecurity.com/docs/geswallfaq01.html#q4

RVS and SD on the other hand are sandboxes in the above sense, because they are both used to create a virtual clone of the OS, thereby isolating all system activity that takes place within the virtual environment.

The trouble with terms such as HIPS and Sandbox is that there isn't an agreed meaning that everbody subscribes to. That doesn't matter of course providing that, in relation to any specific program, the feature set offered, and the pros and cons of the approach(es) used, are clearly understood. The danger of not having well defined, agreed, terms of reference though is a risk of confusion resulting from a loss of conceptual clarity. For example, calling both GeSWall and Sandboxie 'sandboxes' invites a direct comparison between them, which IMHO would be like comparing apples and pears.

 

Well, why don't you use the build-in options of your OS

open group policy editor (gpedit.msc) and apply a default deny execute on the user space and allow some specific applications (like games installed in the sahed user directory like World of Warcraft). Now you have your HIPS by using Softeware Restriction Policies (SRP) of you OS.

See atatched images.

Also forget FF, IE8 runs with lowest rights, plus with GPO (group policy) you can make IE8 secure without loosing functionality (e.g. allow only admin approved plug-ins). From all browsers Chrome has the best UAC implementation (does not allow side by side injections), IE and FF do not have that, but IE runs with lower rights, making it a viable (better is my opinion) than FF.

Group Policy alsao has some nice options, for instance you can block execution of downloaded attachements (remove block by right clicking on a download and remove block from security tab). GPO attachement is an extra layer on top of SRP. You can also set Win7 to launch your Antivirus when a dangerous attachements tries to execute. I have set Avast to check only at writes, Win7 (in my case XP Pro) uses the ScanWithAntiVirus protocol to start Avast and check attachements and downloads when I click them. This way you do not waist CPU power for on execute check (since you do not install using UAC, SRP, GPO rule on executing dangereous programs in internet zone (Warn) and blocked internet zone (Don't execute).

I really regret having bought Vista Home Premium x64 on the gaming box, next time I only buy the x64 Pro versions (Win7 problably).

Regards Kees

 

Example of Group Policy blocking ACCESS before SofteWare Restriction Policy kicks in (same message as ACL block), see picture

 

Example where downloaded code execution block is removed via right click, options. You can see it is a different check, because now the Software Restriction Policy kicks in. See picture

 

It DOES support Windows 64-bit.

 

hmm.. maybe only for XP!?

from http://www.gentlesecurity.com/blog/

http://www.gentlesecurity.com/download.html -- Current latest version is 2.9

So IF it supports 64-bit, then only for XP..

Title of the thread: "What options are there for x64 Windows 7?"

 

What would be the gain of PC Tools FW compared to Windows FW with outbound traffic control?
None, I think.

Kaspersky IS is also a good choice if you are looking for a HIPS.
It also has a sandbox. It's not quite good but better than nothing.

Soon, Avast and Comodo will have a sandbox too. I'm just curious how good they will be.

 

Hi Kees,
So at the end if it is 32-bit system, you would recommend Anti Executeble or Defencewall over (UAC+LUA+SRP(or Applocker))?

 

It all depends on whether there is an expectation that a firewall should be able to pass leak tests. For people who think this is important, Comodo and PC Tools Firewall Plus are good choices because they score well in the Matousec firewall tests. For people who regard the ability to pass leak tests as irrelevant, I agree the Windows 7 firewall is probably as good as any.

 

When you want to see your HIPS in action choose AE, when you want to be quietly protected choose DefenseWall (or want a good firewall with it in DW V3).

For my wife I have DefenseWall. With DW you have the protecton of a HIPS, which is easy to work with for a novice. AE and Online Armor were the two innovators on execution control. When OA made the move to HIPS+Firewall, I think Faronics made a move to the corporate market. Some Wilders members of which I think highly preferrred AE2 over AE3. I have not tried AE, so it would be dishonest to give an opinion on something that I have not used myself.

From a protection point of view, the earlier the better. So AE scores some points (preventing execution). From a risk point of view, limiting the untrusted (originating from a threat gate) is a smart apporach (allows for strict security with few to none user decisions), so DW scores some points.

Apologies for the indirect answer.

Regards Kees