antivirus, hips and sandboxes

Discussion in 'other anti-malware software' started by jmonge, Jul 4, 2008.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i dont know if my post is apppropiate in the forum but just kind of curious
    on which one is more effective at blocking malware the antivirus/antispyware
    and the hips or sandboxes tools?
     
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Re: antivirus ,hips ,and sandboxes

    By malware do you mean all malicious softwares? Also, are specifically talking about getting infected from internet activities or all means?

    A HIPS should alert to anything that want's to run, but it would require that you know the correct answer when the file runs. DefenseWall should also do a good job of limiting what a downloaded file can do.

    Sandboxie can be setup so that only your web browser, etc. are the only thing that can run in the sandbox. I just set mine up like this last night and it works well. I even renamed a file (Storm worm) to "firefox.exe", "winamp.exe" and "start.exe" and it didn't run. It can also be set to block access to certain files, folders, partitions or drives. I think DefenseWall can do this also.

    Anti-viruses/anti-malwares are still useful but far from perfect. I still run an AV because I'm just not that good with HIPS. Also, everything I download gets scanned with my AV and 2 anti-malwares and/or submitted to VirusTotal or Jotti before it's allowed to run on my machine.
     
    Last edited: Jul 5, 2008
  3. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Re: antivirus ,hips ,and sandboxes

    by malware in general,coming from all sources or internet faces apps,like internet explorer or wmplayer.security in general for a non geek user,familly or average user.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Re: antivirus ,hips ,and sandboxes

    thanks for the link huanker i will check it out later.
     
  6. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Re: antivirus ,hips ,and sandboxes

    Hi

    I think the most effective for beginners are policy sandboxes because it does everything automatically and you rarely get alerts.

    But it is best to use a combination of security software.
     
  7. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Re: antivirus ,hips ,and sandboxes

    Hi jmonge
    For determining what is the best security, you must first determine what are your "infection vectors". This means HOW CAN YOU GET INFECTED.
    This will depend on your computing habits. For instance: are you a safe surfer; do you p2p; do you plug a lot of usb drives that are not yours; or does your own usb drive go to many computers, etc.
    Once you have checked that, you must understand how security software works, and this way use that software to cover your bases against those vectors. If you don't do that, you MIGHT end up with layer over layer but with no real protection.
    One example would be securing your browser as much as you can, but not paying attention to usb drives.

    For better understanding of how security software works, read mi little analogy regarding real-time protection (if you go to post #10 in the same thread, you'll see how BlueZanetti explains it without an analogy)

    I hope this helps.
    :)
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Re: antivirus ,hips ,and sandboxes

    Ok, thanks. IMO, a good suite is the way to go for the average user. The only problem is can/will they renew it when the time comes.

    If not a suite then an plain AV with high detection rates would be easiest but the least effective (relatively speaking), but may be adequate. Next would be the policy sandbox as Someone suggested and depending on the user, Sandboxie (a virtualization sandbox) may be fine. Another easy HIPS/firewall would be Online Armor and they have both a paid and free version.

    OT: Consider setting them up with a Limited User Account. Also, it's important to keep everything up to date and patched (see my sig. for an online scan to check). Most online malware is looking for holes in your software (browsers, java, flash, media players etc.) that probably already have a patch/fix.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Re: antivirus ,hips ,and sandboxes

    A good solid HIPS is of enormous value if a user is so inclined, because NOTHING! and i do mean NOTHING! can compromise it as long as you suppliment it with an executable interceptor ia whitelist like AE provides.

    Then of course theres virtual systems, sandboxes, etc. all of which cancelled my own interest in any AV ever again. Going on over a year now without one and i've had better results without their blacklist dependencies then the alternatives just mentioned. Plus my computer runs faster and the protection is much more dependable! and without wasting money!

    EASTER
     
  10. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Re: antivirus ,hips ,and sandboxes

    Hi

    I agree with you except for the part about Online Armor. I think outbound protection is not really necessary so you can get something like ThreatFire and change it to automatically quarantine so the user does not need to do anything. And it's free.
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Re: antivirus ,hips ,and sandboxes

    Unfortunately, there are no comparative tests regarding real-world malware prevention. So, it's just impossible to ansewr your question with concrete numbers.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    when it comes to getting infected by malware it doesnot matter your computer or surfing habits you just have to click the wrong link and you are infected and i thank this forum alot cause it was my path to know DefenseWall and SandBoxie the 2 only security software i really trust.
    for ages i was computing with mcafee and zone alarm and i was always ended
    infected no matter what or my computer habits.now i am very sure if i sandbox my internet apps or the apps that need to connect to the net i will
    very secure.i am not trying to ditch any antivirus but for my own experience i am better with the policy base sandbox or pure sandbox for blocking malware.
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i agree with you Someone about outbound protection maybe i am wrong but i think but if you take good care of what is coming in your pc why bother for what is going out,i mean if you are not infected how can
    you get transmition out.now if you have a horse trojan those litlle horses that do alot of damage then we have to be concern about outbound.by the way i heard that a stealth horse trojan could bypass any firewall so no outbound protection.maybe i am wrong,i am novice here learning.i visit this forum and other ones i am learning alot so thanks again.i opened my eyes after reading alot of post out here and i realize that an antivirus alone is useless.i used to think that mcafee was the only and the best solution out there.
     
  14. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Which means that your infection vector are mainly internet facing apps. Which has to do with your habits, since you use those apps.:)
    Being a safe surfer just reduce the risk associated to that vector.
    I also rely in SBIE only (and Returnil), because it's rock solid and I understand how it works.
     
  15. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yes HURTS and also this is a pc for the whole familly now i want to ask you
    if you configure sandboxie to allow only internet explorer to connect to the net ?do you really need to run a software firewall ofcourse when you have windows firewall on or maybe connected to a router.very soon defensewall
    will have some kind of outbound protection too.
     
  16. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Actually you can't make that IExplore is the only app connecting to the internet.
    What you can do, is make that IExplorer is the only app connecting IN THE SANDBOX.
    Apps outside the sandbox will still be able to connect.
    Still this is usefull for drive-by downloads that call out, but if you want full outbound protection you should go with a FireWall, since Win firewall only provides inbound protection.

    I don't know how OB protection from DW will be (will it be full protection like a firewall, or only for untrusted apps, etc), perhaps Ilya could explain this.
     
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    ok hurts got it,
    so thats mean that with that feature you could block spyprograms(keyloggers) and horse trojans from stealing data?
    i really like sandboxie and defensewall it is like how can i say it is must to have those,
    just kidding any way i like a feature from sandboxie and that is that you could delete
    your sandbox empty it is like going to the washroom and flushing the toilet
    "every thing is gone".
     
    Last edited: Jul 5, 2008
  18. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes. If those keyloggers and trojans are downloaded with the browser and stay in the sandbox, yes, they wouldn't be able to connect out.
    If you recover the trojan and it runs out of the sandbox, you lost the battle.

    Remember that sanboxie has a configuration option where other things can't even run in the sandbox. In other words, IE is the only app that can run, and any download of executable will be useless if kept in the sandbox.

    And of course there is the "block folder" option, which can lock the folders you want to keep protected. Nothing in the sandbox can access those folders: no read, no write, no delete. For example, I lock some of my data folders that contain private data (finanacial records, etc).
     
  19. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree,If a surfer spends a vast majority of there time surfing porn sites and another spends there time on ebay which surfer is more likely to become infected.So surfing habbits can be a big Factor who stay clean and who gets infected.
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yes i agree 100% thats why we only use our pc for surfing,banking,hotmail messenger,youtube but no limewire cause it is kind of dangerous:rolleyes:
    we try to keep safe:D and no adult content in my pc:eek:
    thank you guys for your replies,i was invited to a bar b q, i am very hungry:D
    so i see you later and thanks for every thing.i will reply later.see ya.
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Only for untrusted processes, there is no need to do that for the trusted ones but one exception- if you put an app into the "always deny" list manually, this will stop it from internet connections in all modes. I think, this should be fine.
     
  22. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Sounds great.

    Everyday I'm more tempted in trying DW.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Once you experience the overwhelming security of DW and it's simplicity that actually helps the user which requires a lot less interaction then say a full blown HIPS, you'll be sold on it.

    DW is one of those in a class like FD-ISR in my book, a one-of-a-kind solution, and the support? Hey this maker watches over his creation as though it was permanantly attached to his person, which in some ways it is? :D

    Seriously, this is a very strong prevention app, and some might wonder why i personally don't make a lot more noise over it then i do. It's because i do a lot of malware research and this app PREVENTS so many bad things from happening, and i need a a little wiggle room sometimes. :cool:
     
  24. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, I know how good it is. Every day I read good things about it, and the support offered by Ilya is just another BIG plus for DW.
    But I love SBIE.
    Hopefully in a few months I'll buy another computer and then I'll have SBIE on my laptop and DW on the desktop (or the other way around).
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i am back that barbacue was great:cool: anyway hurts i use DefenseWall and SandBoxie together with no problem,it may be too much protection but it is ok
    my internet speed is great no slows down at any time.:D
     
Loading...
Thread Status:
Not open for further replies.