Simple firewall + Threatfire enough?

I'm back at this stage again; wondering the level of protection I really need.

After anaylzing my daily tasks on the PC, given I don't deal with "cracked software", and I spend most of my browsing in Opera or FF.

Till date, I have not had any infections pertaining to Viruses, Adaware, or Spyware.

My current level of protection is Spywareblaster, SAS on demand.
I have been a week without anything else as protection, but am thinking of using a lightweight firewall + hips.

My intention is to have a very lightweight security setup that will be able to detect things such as malicious intentions when plugging in someone elses USB drive, or connecting to multiple wireless connections. Other than that, I don't worry about being infected.


So my question to you all is:
What would be a easy to use, effective and lightweight firewall to use for a laptop?
Is threatfire(without an AV) the right choice when dealing with malicious intent as stated above?

Note: I would like to avoid running an AV, so please don't suggest them. My new security setup is towards intended malicious attacks instead of infections from things 'I' do.

Thanks.

 

I suppose some type of sandbox software would be in order. Sandboxie or Defence Wall perhaps.http://remove-malware.com/prevention/

 

My current setup maybe interest you: CIS (firewall with D+), sandboxie and Prevx Edge, very light and effective. You can choose other firewall, like Online armor and add other sandboxie like Geswall or DefenseWall. I Think for what you need, DefenseWall/Geswall maybe better, because of the restrictive policies for removable media/devices.

 

The only way to protect your self is with 3 layers. That is:
Prevention
Detection
Cure

Sure you can have alot of detection security programs, but the reality is detection wont stop a new malware. So something like DefenseWall, Defense+ (in Comodo Internet Security) is good for prevention, followed by a detection solution (AV), Cure...

Cheers,
Josh

 

Agreed.

 

PC Tools Firewall Plus is a free, easy-to-use, effective, and lightweight firewall that works very well in conjunction with ThreatFire. It perfoms well, strikes a good balance between security and ease of use, and rates highly in the Matousec Firewall Challenge. The main issue that people appear to experience is with ESV (Enhanced Security Verification) enabled. ESV is the HIPS component and like any HIPS has the potential for conflict with other applications. I'm running PCTFWP with ESV enabled alongside ThreatFire and haven't experienced any problems. If you decide to go with PCTFWP you could try turning ESV on initially and see how it goes. If you experience any problems you can always turn ESV off again.

ThreatFire is a very good choice and is very effective at blocking malware. There have been complaints from users about the lack of a Deny option but PC Tools have said they will look to adding this in a future release. As TF is a behaviour blocker, it's quieter and less intrusive than a classical HIPS. In any case, a number of firewalls already have a HIPS component so a BB makes a perfect complement.

As has already been mentioned, you might also want to consider virtualisation and/or policy-based HIPS (quieter than classical HIPS) as an additional layer. Good examples of virtualisation are: Sandboxie (application virtualisation) and Returnil (partition virtualisation). Good examples of policy-based HIPS are: DefenseWall and GeSWall. Plus, it doesn't hurt to have a couple of on-demand scanners, just to make sure the PC is clean.

 

While I may be considered to be a member of the "risk-takers group"...I have used TF (since the dawn of the Cyberhawk days) and Windows Firewall as my "sole" "active" malware protection. I am behind a router that offers hardware firewall protection. I have never - to date - had any malware sucessfully gain access to any of the systems that I support when using this configuration - except when a user intentionally continues an operation after having been warned....agreed, maybe I am just lucky...but, nonetheless, the systems I support are generally older and of moderate performance capabilty and these require a lightweight anti-malware footprint in order to remain realistically operable for the user.

I use the "Default" "Sensitivity Level" and I do employ all of the "Custom Rules" available in TF and I add an additional rule for monitoring untrusted processes attempting to monitor any network connections....effectively, monitoring any outbound listening. One of the available custom rules does monitor untrusted attempts to actually create network connection. Essentially, these two rules will provide an "ersatz" outbound firewall capability. One does need to add "Trusted Processes" as they are flagged by TF or tell TF to remember your decision on each pop-up.

This type of setup provides a very lightweight footprint and provides the user with minimal pop-ups and questions...and, has to date, not permitted sucessful malware penetration. Thus, leaving the user with what one wants - performance with a reasonable modicum of safety. Security is always a balance between usability and safety...after all, how many prophylactics are too many...

Obviously, if one "wanted" to breach a system configured as this, one could. But, that is not the point of providing security. One can "always" provide more guard dogs and more fences - and one can "always" find a way around them all. But, at some point, providing security becomes the dominant focus rather than providing a useable system...and thus, defeats the very reason why one is using a computer in the first place. The issue is one of "probability" not one of "possibility"...in my view.

So, to answer the original question posed in this thread....Yes, with some attention to the custom rules. As PrevX Edge develops it may become a good or even better alternative than TF...and may even result in a lighter footprint...while maintaining a reasonable level of protection...we shall see as it moves along.

"All things in moderation"...

galileo

 

galileo you been either lucky or very safe surfer cause i know that threatfire in some of my test was bypass very easilly even in level 5 senstivity level,anyway your router firewall it is not responsible if you agree to download a malware(for example)so it will not help you to stop it you need a antivirus or a sandbox(virtualizer)to fully detect or contain malware
now i know that threatfire and with a good/strong firewall will give a very solid protection againts malware you have to be carefully cause there some malware there very nasty that can bypass your firewall or behaviour blocker very easilly.but if you an expert and you know what you are doing go for it with that combo and if it work for you cool i like people with a brave soul,i am like that

 

Your statement is correct..."if you agree to download a malware" but, then why are you agreeing to download malware...?... If you do in fact wish to swim with aligators then, perhaps you should expect an occasional bite...

Again, your statement is correct. However, this is an issue of philosophy as to how much protection one wants to expend effort creating. However secure the bank is, there will "always" be a bank robber...IMHO, at some point one accepts that the plane "may" crash but, that it is still safe "enough" to fly....to use an analogy.......(and I am big on analogies)

galileo

 

that's exactly the way we learn the hard way"the way to learn about how malware works"id never says or agree to download malware,i do some testing"happy tester here" do you think i am damn to test malware in my real pc without virtualization or at least a sandbox program if i said that i like brave soul and i know i am one cause for the reason that i do my testing with either within defensewall/sandboxie malware is cointain very well again about been lucky yes you are lucky or even safe surfer and a brave soul

 

You are correct and sensible in what you are doing. With respect to the question posed by L815 at the beginning of this thread, I have been speaking to the issue of what does an average user need to use for one's typical daily needs. I would submit that the average user is perhaps not doing what you (or I) may be doing when we are "testing" to see what an effective security configuration might require. The average user is most likely not "bungee" jumping for his thrills....he is probably just going out to dinner......LOL...Hence, the question is what restaurant are we suggesting he visit...rather than what life insurance policy he should carry....

These are always good conversations to have as they help users identify what and why they may want to learn about how to protect themselves and their systems...

galileo

 

that is cool i am also going to answear the question in the post it is not enough just a firewall with threatfire,have to have a antivirus at least

 

anyway i will never recomend these for daily use especially my friends

 

Respectfully, if TF blocks viruses - and, it is a zero-day virus blocker thus, it would also be a 1000-day virus blocker - then, IMHO, for the average user, TF with rules and Windows Firewall are adequate assuming you are behind a router with a hardware firewall - which most users are in today's techworld.

All are entitled to their opinions...

galileo

 

ok if you get infected(never say never)will threatfire remove the malware "no"imagine a regular people with no knowledge at all can not have these type of aproach"not recomended"still need an antivirus especially for regular people

 

There is nothing wrong with having an on-demand virus scanner/remover. In fact, that is a reasonable tool to have onboard given that the "possibility" of a security breach is truly 100%. The issue again, is one of the probability of a breach, not the possibility of a breach.

However, IMHO, the average system does not require a real-time AV tool. And, real-time AV tools have a notable impact on system performance...particularly on moderate capability systems. My approach has been to balance security against performance through a realistic assessment of the "probability" of a breach. My experience with the average user and the average system has thus led me to where I am today.

I have simply not seen that the "probability" of security breaches under said conditions requires any further real-time protection than I have noted, IMHO. I agree wholeheartedly with you that one should have suitable removal/recovery tools available...I simply take the position that given the realities of the average user, one does not need them in a real-time mode. And thus, one can avoid the performance hits that come with additional real-time tools.

...good discussion...

galileo

 

i agree good discussion,now look at this situation one of my friends he has spyware doctor with antivirus and threatfire and a solid firewall,(and he has antivirus)(imaging without it,maybe worse)
it took to just click a link and guez what i am not saying that your aproach is wrong but like i said before for regular/average people is not recomended,out of all my friends this one didnt listen to my advise when he requested and advise and he was the one getting hit hard,i am not saying it can happen to you,cause i feel that you have some knowledge but what about the inocent that dont even know how malware can damage their pc's
one of my happy clickers friend was infected last year and his pc got trojans,spywares,adwares,etc,etc that was last year,got him a program call appranger and i saw him last week and he invited me to his house and same time i check his pc and guez what"clean"have to find the way buddy,my point is that a behaviour blocker/firewall is not enough for a regular user especially those happy clikers for you i know it may be enough(good luck)

 

@jmonge

...LOL...I just re-read our discussion...I think we are esentially starting to repeat ourselves. So, I guess its time to give this a rest for a while. I hope that L815 has gained some perspective...if not specific direction.

galileo

 

sorry i need some coffee

 

"So my question to you all is:
What would be a easy to use, effective and lightweight firewall to use for a laptop?
Is threatfire(without an AV) the right choice when dealing with malicious intent as stated above?"

Yeah, I go through the same thoughts about what is enough security.

For my laptop the last several months I've chosen to just run Sandboxie without an antivirus. Next came Edge free to detect any unusual behavior. It also gives a user right-click scanning of files without the overhead of a tradtional antivirus scanner. Then I added Returnil the other day with the latest free version. The new anti-executable feature and file protection feature caught me by surprise and is worth checking out.

Basically, I wanted programs with high protection strength and low cpu use and low disk i/o to preserve battery life. All of these programs fit the bill.

I think if you try any combination of the above you might find what you are looking for. In my opinion Edge will sniff out more bad stuff than TF and I also think windows firewall is sufficient without the disk i/o (battery consumption) of a hips firewall.

Throw in AppGuard or EdgeGuard Solo and you have a real solid and light combo.

 

If you are willing to try a firewall with HIPS included, Online Armor is good.
I use PCTools Firewall Plus with the HIPS activated and have suffered no problems with it.
These are both light on resources in my experience and would be very good choices for your firewall.

 

It is better to have a anti-malware scanner besides having a firewall and a behavioral blocker.

You never know if your system is infected.
A few days ago, I posted my experience with a mutated SVCNOST.EXE disguising itself as SVCHOST.EXE.
It was able to bypass even COMODO Firewall, since COMODO reads it as a "trusted" process.

I don't know how long it has been in my system, and how long it has been perhaps taking info from my browsing data and/or account passwords.

I installed SpySweeper and Spyware Doctor. Both were able to detect the hidden process, when even MBAM and SAS failed to do so.

So I recommend you should use a top-notch anti-malware scanner for added security

 

agree with your coment 100%

 

Is anyone else running this setup?

 

should be fine especially considering since an av+fw is considered rather safe when used with care - knowing TF focusses mostly on 0 day malware id have to give it a up