Need some advice, please =)

Hi all,
I need some advice.
I know that no realtime AV setup is possible and some people in this forums use it.
I know that it can be achieved with different ways: full virtualization (Vbox, Vmware), light virtualization (shadow defender, returnill), Defencewall, Geswall, sandboxie or combination of them and etc.
I am familiar with most of those programs and used them and know their principle and differences.

I need advice on which approach will be better in terms of security and lightnes and ease of use.

My main point to get rid of real time AV scanner is that I believe that it isn't able to protect alone. So obviously everybody uses some added protection with them.
But nowadays when those added protection can offer almost perfect protection, do we really need AV programm in real-time? (I don't think that nowadays there are a lot of malwares intended to burn out your HD or harm you in the similar way with 0 profit to them.) So programms like Geswall, Defencewall or shadow defender and anti-keyloger or their combination could protect user without Real time AV.
I know what you think, yes, I could leave AV on just in case, but it's not like this. I once used Defencewall with the combination of my AV suite and I had really bad gaming experience (I mean REALLY bad, like low fps, lags, lost packets and etc)
So I ended-up uninstalling Defencewall and now I have only my AV (Mcafee Security Suite with Firewall, AV, Anti-spam. and Anti-spyware) as I then I wasn't ready to uninstall AV and stay only with defencewall.

But you know I actually don't have much sensitive data on my PC and have copy of them on my another laptop and some DVDs, so I some times think do I really need to be so much paranoic Yeah it will be hard if some thing happens had to reinstall Windows and drivers and programms etc.

My only real danger which can harm me really hard is online banking.

So I am thinking is it worth installing 100 security programs putting 50 of them on real time. And make my experience on PC terrible: annoying pop-up, rules, terrible gaming experience, slow performance and much more.

Or should I go with no real time AV light setup (either it is virtualisation or HIPS, or policy restriction) but maybe get almost unbreakable defence.

Or stop being paranoic and just add nice anti keylogger to my current McAfee security suite (yeah I know that this is my problem and that it is resourse hog, bu hey, I got it for free from my bank so I is not easy to giveup paid software you got for free in favour of free AVs. even if I do this the it will be only AV, so I will have to find new Firewall aswell.)
btw, I have a-squared Anti Malware free licence too maybe use it instead of Mcafee?

ok, I know it was a bit confusing and topic slight changed from what I was starting to write.
But I hope you guys help me to decide!
Thank you!!!

P.S. I just realised it was so long, sorry for that
P.S.1. Please correct me if it was wrong section.(I put it there as I was starting to write about no AV setup, but it changed topic towards the end )
P.S.2. I forgot to mention, I am eager to learn everything new but my family members like when it is less annoying and more automatic

 

Take a moment to read Securing Your PC and Data. That might crystallize your thinking, or at least present a few options.

Blue

 

You didn't even specify your O/S. What are you using?

 

Personally I think that a sandbox or a virtualizer is a must, not only against 99% of malware, but your own configurations mistakes, conflicts and what not. These are really light in terms of resources and won't slow down your machine. I also run an AV on one computer and an 'anti executable' on another (any HIPS can stop executables) in the unlikely event that malware might attack the virtual system. It is 5 years now, without even a tracking cookie on my machines.

I almost forgot: Backing up your system should be a normal routine for any computer literate.

 

oh, sorry my bad

I am using Windows 7 Ultimate 32-bit on one laptop.
and windows Vista Hope Premium 64-bit on another.

Thanks a lot BlueZannetti, it's nice reading. But any particular advice about my current situation?

Yeah, I know that I should backup (problem is I do;t have external HD right now, so can I backup to my another laptop, or even Ipod (80 GB)? )
Currently I have all my documents and personal files copied to DVDs and my Ipod.

Or yeah about Firewall, btw I use router and I know that my router has buld-in firewall (but I am not sure if it's good enough), So then, I hope I don'y need too strong firewall.
And |If I start using Deffencewall, (I think new version has firewall aswell)

And I noticed that I haven't specified my usage: browsing (more or less secure one), P2P TV, massangers, Online gaming, now and then maybe torrents. I get movies from my friend but I know that he got them from torrents. I think those are the risks I take. Maybe also experimenting programms (but I think I am more or less secure on that)

Thank you to all of you again

 

i will recomend DefenfeWall Hips or Shadow Defender =) XD

 

Sure.

• My own preference is to minimize the need for me (or any user of the machine) to render decisions on the fly. Therefore, I try to address issues from a configuration/policy perspective when possible, but recognize that doesn't always cover me.
• Take advantage of native OS capabilities - have separate Admin level and Limited user level accounts for system maintenance and routine usage. See Configuring Windows 7 for a Limited User Account (by Steve Friedl). Use this as your primary protection mechanism.
• I personally like the light virtualization solutions with ShadowDefender and Returnil as the current pair of options I'd recommend. Both are compatible with Win7/64-bit options. Try both and weigh the options. They have somewhat different feature sets and pricing models. Depending on your needs, one may be preferred. Both are solid.
• I still think access to AV functionality is useful for the vast majority of end users, but implementation details span an extremely wide range going from reliance on available web-based multiscanners to periodically verify downloaded content, to local client demand only solutions, to standard real-time monitoring standalone AV's or suites. Any of these approaches work. The most appropriate is really a matter of need.

I'd leave it at that and see how the systems perform before adding or adjusting anything.

Obviously, full blown and continuous backup is desired, but reality (cost, scalability, etc.) occasionally intrudes. What you need to walk through is a scenario in which your HDD fails catastrophically and ask yourself "Do I have all the information needed (i.e. serial key files or key codes, order information, contact information, remote login information, personal files, system install disks, etc.) to reconstruct my system to it's previous state. This collection of information is often a lot smaller than a full blown backup.

I tend to simply use the NAT capabilities of my routers as a low level defacto security feature. Whenever I do use a firewall, it's more for diagnostic purposes.

Regardless of the level of detail one goes into, we're really assessing a balance between user convenience and security. Those two end goals are always in competition. You need to think about where your preferred balance resides.

Blue

 

Here's my approach:

1. A strong HIPS-type solution such as Sandboxie or Defensewall. Aim: to minimise the risk of getting infected from common threat-gates in the first place

2. A sensible approach to newly introduced files on your pc, e,g, scan with virustotal

3. A fallback solution to protect your online banking and other sensitive data in the effect that you have inadvertently infected your PC, e.g. Prevx Safeonline

The biggest risk in getting infected is me, not the security software I run.

 

Everyone is different in their setup, browsing behaviour, and use of their PC (some for games, others for work).

I'll give you an idea of mine at the moment. I have licences for defensewall, sandboxie, a-squared, shadow defender and so on, all are excellent programs. I would suggest shadow defender, but depending on the games you're playing, many download data to save your bandwidth, and removing this info on reboot will mean that data will have to be downloaded all over again. A-squared anti-malware is an excellent program, although I did find my system was churning away (at times, for some reason).

As I'm playing a few online games at the moment (good old holiday period), I wanted to have lag free gaming, and make sure I get those head-shots. I'll outline what I'm running at the moment - might suit you as well.

I have a behaviour based monitoring program, it's paid software from developers of a-squared, called Mamutu to notify of any malicious activity, change to system process, copying of files in the background etc etc. It's similar to ThreatFire, which is free and I've used for a long time, but users have noticed a slight slowdown with threatfire running - especially with firefox or some online games. Mamutu on the other hand, seems as though I'm not running anything. Best part with the program, you can quarantine the file/process if an alert is given, rather than just block, and alerts have community feedback.

Any files downloaded, I scan with a-squared free. You'd need to update this every day, or every couple of days. It also integrates into the right-click menu, so you can scan files as soon as they download. A-squared free has excellent detection rates, so it's worth having even if you had a resident AV always running. It runs a service in the background, of a few MB, to enable it to give you a right-click context scan and prevent malware from terminating the program.

Hitman Pro is a cloud-based scanner, utilising several scanning engines including a-squared, Nod, prevx and so on. You can run this at the end of your gaming session, so all active processes are scanned, and system files. You can also set this up to integrate as a right-click scan, so you can scan downloaded files with a-squared free, and hitman pro. It's free to scan, has a 30-day removal option. The developers are on here so can answer any questions. Does well with difficult to remove files, rootkits and so on.

I'm also running a-squared's hijackfree, which starts on-demand, to terminate any active processes, see what's running, to check what's loaded on start-up, see which services are running (you can stop and uninstall services if need be), check if any explorer add-ons are installed, and see what is trying to connect outbound. You can kill and even delete any files connecting outbound. Great process monitor, and it's free and has a portable version available as well.

You could also scan once a week with malwarebytes. Nothing more needs to be said, excellent program.

Real-time
Mamutu

On-demand
a-squared free (update once a day - scan all downloaded files)
hitman pro (scan daily - takes 1 minute - can scan all downloaded files)
malwarebytes (scan weekly - takes 2 minutes - can scan all downloaded files)
hijackfree (check any outbound connections etc)

See this thread for more suggestions:
https://www.wilderssecurity.com/showthread.php?t=111264&page=251

 

Here's what I have: a limited user account with a software restriction policy and DEP with no real-time AVs. Every two weeks or so I run an on-demand scan with Malwarebytes, SuperAntiSpyware and AVZ and they never find anything. I've also had Avira and Avast installed on-demand only and they never found anything either.

This setup is easy to implement, uses no resources and doesn't cause any system instability.

If you have a router with a firewall you can skip the "personal firewall" as well.

 

The OP is interested in a setup without a real-time AV. Your suggestion is to get rid of one resource hog and replace it with three?

With all that other stuff running this is a moot point.

 

ok, for now untill I decide on combination of non AV setup:

I got rid off Mcafee.

And installed 90 day trial of Norton Internet Security 2010
As it was claimed to be the lightest and fastest one. And I got nice feedbacks from people who used it. And it got on top already in 2 real world tests (Av-comparatives and Av-test)

I think 90 day should be enough for me decide on non AV setup or if it's light and I really like it, enough time to decide to buy it (or hopefully come across some giveaway )

@jmonge I used both of them. I like them. I have licence for shadow defender, So I will probably install it (atleast for on-demand) But I have also have returnill 1 year licence so I am deciding between them.
With Defencewall it wasn't really good for gaming, ( as I already mentioned, maybe it was combination of my setup). Anyway thank you!

@BlueZannetti
Again really good reading, I even enjoyed it =)

I love it and that's one of my main preferences too!
Yeah, I am gonna setup LUA, but just quick question, I already have set up my current account (limited admin) for my and my family need and preferences. So I want to change it to User and create new account as Admin. Will there be any problems with preogramms I have installed with my current account (as this account will soon become user). I mean especially security programs like AV, Hitman Pro, Malwarebytes, Ccleaner and others,

As I mentioned I am thinking about Shadow Defender and Returnill.


About backup, I am doing just copies of most needed files.

Thank you a lot!

@Scoobs72
Thank you!
I use Virus Total uploader for small files.

@Saraceno
Again, very interesting reading

I do use Malwarebytes and started using hitmanPro as on demand scanner.

I will definately look at Mamutu
Thank you!

@Johnny123
Very easy and light setup.
I use DEP on all my preogramms except HL launcher (game, as it crashes it)
As I mentioned I am planning to setup LUA
And when you say "software restriction policy", you mean policy restriction HIPS? Sorry if I am wrong...

But still using just this without anything else, do you feel comfortable?
Maybe I am too worried... =S
Thank you!

P.S. And I noticed that most security products don't support Google Chrome (but it's my favourite browser)
When I used McAfee, it's siteadvisor did't support Chrome.
Now NIS 2010 has some toolbar and anti-phishing protection but not in Chrome
Should I switch to Firefox atleast for online banking or is there alternatives for Chrome? maybe some anti-keyloggers?

 

Chrome has its own anti-phishing protection as well as warning you from sites that have been reported infected (I use Chrome as my main browser and it has notified me on several occasions). I wouldn't rely completely on it though.

 

jav i think that with just defensewall you are all covered

 

No HIPS, SRP is this here. The nice part of LUA and SRP is not having all kinds of security apps running. These are features of the OS that are easily used and very few people here seem to take advantage of them. I find this rather amazing considering that this is supposed to be a security forum. Security is more than just installing applications but unfortunately that's the response you'll get here most of the time.

It happens quite often. Someone will ask about a setup for a friend or relative who is computer-illiterate and he gets bombarded with suggestions for 75 different applications. One person will suggest LUA as a good starting point and his posting is either ignored or some moron (I won't mention any names in order to protect the guilty) will actually say that running as admin is safer. Sad state of affairs, that is.

Of course I feel comfortable with this setup, otherwise I wouldn't do it. Don't forget that it's important to keep your system updated as well as things like Flash and Java. Avoiding Quicktime and Adobe Reader is also a good idea.

You shouldn't worry too much. Paranoia leads to overkill and irrational decisions.

 

@Johnny123

Thank you very much!
It seems to be a lot easier then I thought it is.
And I like it's concept, it is in a way like Defencewall but built into Windows itself.

But I have quick questions:
1. question I asked BlueZannetti about LUA in last post.
2. I have some games which are not in Program files folder. So I had to manually allow this folder for execution. It's fine but, it's online game so, I know it should write to that directory but SRP will block him writing (as it will only allow write to user folder) So if I allow SRP to write also in game folder, then it will kill idea of SRP as it will be same folder that can be written and executed.
3. After some searching I came across Applocker (I use Windows 7 Ultimate). I understand that it was something to do with SRP, so any use from it for me?

Thank you again.

 

You can change your account with admin rights to a limited account, no problem. But, and this is very important, make another admin account before you do it! I played around with Windows 7 for a while and didn't know that you can't access the default admin account "Administrator". Needless to say, this put me up the creek without a paddle.

OK, games are some of the worst offenders for not running properly with limited accounts. You can make a path rule to allow it to execute in its non-standard installation directory. SRP doesn't control writing, it controls execution in places other than Program Files and Windows. You can figure out what file has to have write privileges (either from the error popups or the event viewer) and change that with right click->properties->security tab. I would prefer to give the one file, or files if there's more than one, write privileges rather than the whole directory.

Applocker is supposed to be very good. I've never used it personally, but Windchild can tell you about this. Do a search for his postings on Applocker and you'll probably find them pretty easily.

For the OSs that don't have gpedit.msc search here for Pretty Good Security. This is an app done by Wilders member Sully which will allow you to enable SRP on systems without gpedit, such as XP Home. Very nice.

 

Hard to say. I simply make needed adjustments as required. Since I don't run Win7 or Vista, I really can't speak to specifics with those OS's. On XP Pro I simply use SuRun to finesse the rough spots.

Blue

 

+ 1 In addition, I don't know about the Vista Hope, but for Win 7 I would use the built-in backup feature to image your setup on occasion, at least, and take advantage of the AppLocker feature under the policy editor to auto-generate the rules - as many Publisher rules as possible - for both the x86 and x64 program directories for the Standard account(s). If you use this latter feature, you could do away with the virtualization software. Just my opinion. You'll want to read up on AppLocker first to get an idea how it works. As long as you first create the defaults, you eliminate the risk of locking yourself out. It's pretty intuitive.

 

Thank you guys.
ok, now:

I created new Admin account. And changed my current account into Standart User.
There seems no problems so far.
when I try to run security Programs (like Malwarenytes, Hitman Pro) which I was worrying will be some problem promt like UAC and ask for admin password so they run like admin so with full powers.
Is it ok? They will work really with full powers? Or should I switch to Admin account to scan with those programs?
And instalation, i think I can just install them by providing pass or clicking run as Admin, Am I right? Is there really much need to switch to Admin account?


Now, I am looking more information about Applocker, so soon I will probably setup SRP with or without Applocker if it will not cause problems with my routine. (as we already discussed there maybe some difficulties with configuring it to games, hopefully I will find solution)

Thank you everybody.
Any more advices?

 

One or the other, Jav - not both. My vote goes for AppLocker; it is proven superior to SRP.

A good resource for for an overview and general usage of Applocker is here:

http://207.46.16.252/en-us/magazinebeta/2009.10.geekofalltrades.aspx

For more detail, check out here:

http://technet.microsoft.com/en-us/library/dd723686(WS.10).aspx

Important! If you want to test your AppLocker ruleset before deploying, check out my post here:

https://www.wilderssecurity.com/showpost.php?p=1579682&postcount=1

Take a look at whitelist vs blacklist; whitelist is better

 

Me, I just use a AV, works fine and still feel it is all you need. Of course I use quite a few but never more then one.