Bullet Proof Setup

Discussion in 'other anti-malware software' started by Gasp, Mar 9, 2010.

Thread Status:
Not open for further replies.
  1. Gasp

    Gasp Registered Member

    Joined:
    Jan 13, 2010
    Posts:
    82
    I got hit with a trojan & rootkit the other night which had been bundles into another application so I need to re-think my security. I am currently using Norton & Prevx. Norton completely missed it and Prevx only picked it up a few hours after install, presumably after the cloud analysis.

    This had me thinking a bit here. If you download a setup file for an application, even after scanning it with every anti-malware known to man, that doesn't indicate its clean it just means if there is malware it is undetectable.

    Real cloud scanning such as panda & prevx is obviously a fantastic line of defence here, but the downside is that could take up to 48 hours for any notification of infection. By this time any rootkit will be well hidden away.

    My current setup looks something like this:

    Disk Backup
    Paragon Disk Backup 10 (PAID)

    Real-Time Proection
    Norton Internet Security 2010 (PAID)
    PrevX (PAID)
    Sandboxie (FREE)

    On-Demand Scanning
    Malware Bytes (FREE)
    Hitman Pro (FREE)
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Far, far from bullet-proof (it doesn't exist), though your imaging solution will at least get whatever malware that does show up off of your system. NIS is not as good as people want to believe, though it is far from the worst. Prevx, I need to see more from them to validate all their claims, but I'm a picky sort. Sandboxie, if you can afford it, pay for it. The free version is just too restricted to be of much use, imho. MBAM has proven itself, in certain areas. Hitman Pro, I'm not really a fan of the "pay us to clean your system" business model. It's too rogue-like for my taste.

    I didn't post this to shoot down your setup, btw. You picked some well-liked applications. If they totally sucked no one here would keep recommending them. I'm just posting my personal thoughts on them. Always understand though that nothing you do can "bulletproof" your system, unless of course you unplug it from the wall.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi sorry to hear about that, but at least you have backup. What was the file, and where did you get it ?

    A lot of us upload any new files to places like http://www.virustotal.com which has multiple AV scan engines. Not always 100% foolproof with brand new malware, but better than just one or two local options. Not much you can do about unknown malware, apart from not running it. That's why it's best to err on the side of caution if you're not totally sure of the source.

    What happened with Sandboxie ?
     
  4. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    If I were to install an application of unknown legitimacy I'd be looking to isolate it from the system.If it didn't need to install drivers I'd either install it within Sandboxie or Symantec Workspace Virtualization (formerly Altiris SVS).On the other hand if it did require a driver installation I'd use Virtualbox.
     
  5. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    You bring up some interesting points.
    So what do you use for AV/AM etc?
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    At the moment I have Avast 5 Free and MBAM paid doing the "heavy lifting", with Sandboxie paid as my "if all else fails" measure. Far less "bulletproof" than even the OP's setup. I however am not trying for that kind of a setup. I cannot and will not sacrifice my enjoyment of a very fast, lean system (Windows 7 64) because I'm afraid of some world-ending malware destroying my life or turning me into a member of the botnet army.

    I feel that if I run a file through both a well-received AV and AM and it comes up clean, well, to me, it's clean. Getting 10 different opinions from vendors not only is a waste of my time, it opens the door to FP detections and confusion even wider. I need my system to do what I bought it for, not scan every letter I type on the keyboard and throw a pop-up at me every time Windows or an application does something.

    To be honest, I believe that the more security you have, the less secure you are. Hell, anymore security vendors can't keep up with the ever increasingly sophisticated malware, so how on earth am I supposed to? I block ads, I use Noscript, I tightened IE zone settings, I run a well-known AV and AM. If that can't secure me enough, screw it, I won't worry about it.

    There's no sense in running several security apps when they all can fail no matter how good they are. All it does is suck up resources, and the OS already is quite good enough at that and doesn't require help with it.
     
  7. Gasp

    Gasp Registered Member

    Joined:
    Jan 13, 2010
    Posts:
    82
    I suspect someone used a fudder to attach the rootkit/trojan into the genuine application. I did run a pass with virustotal but only got 2 hits.

    I wasn't expecting Norton to find 0day malware but the SONAR has let me down big time. Where is the point popping up to say suspicious file, then allowing it to takeover my system. As for FileInsight, this should have been developed more like Prevx.


    You share the same opinion of millions my friend. Not saying there is anything wrong with that, but its not good to trust files based on 2 scans. You'd be the perfect 0day attack.
     
  8. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    The only bullet proof solution is to shut off your computer and leave it off. Barring that, there is always the chance of getting hit so the important part is having a bullet proof back up strategy to get you up in going as quick as possible.
     
  9. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Thanks for your info.
    Though I have a little more than you do, I try to keep it simple for the same reasons.
    I don't sit around all day and worry about terrorists. And I won't be a slave to perceived security.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What was the application, and where (what site) did you obtain it?

    thanks,

    -rich
     
    Last edited: Mar 10, 2010
  11. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    FWIW, My set up is as follows:
    Avast 5 AV
    Outpost FW 2009
    MBAM on demand, SAS real time
    SpywareBlaster
    Shadow Defender, virtual surfing
    FD-ISR (original)
    :ninja:
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    The problem is unless you run a HIPS program, you can have every AV and AM created running real time and still a true 0-day is going to bust you. And, with the current state of true HIPS applications, an average user is more likely to get infected and/or hose their system than be protected. Damned if you do, damned if you don't.
     
  13. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    That is the big question, isn't it? Because quite honestly, to me, "I got hit with a trojan which had been bundled into another application" sounds a whole lot like "I downloaded some warez off some P2P and it turned out to be infected." Yes, I realize people want to do that stuff. But in that case, one must realize that occasionally they are likely to run into infected files, and things even worse than that.

    As others have said, there (practically) ain't no such thing as bullet proof security. A good place to start, though, would be your own actions, in particular, deciding who to trust. Consider whether you really trust, and should trust, the source of the file, before you open and execute it! You downloaded it from Microsoft, and the file seems to have a valid Microsoft Corporation digital signature, and your AV doesn't complain about the file? Well, that file doesn't sound very risky. But if you downloaded it from some file sharing service, the file has no valid digital signature and its checksums do not match the checksums reported for that application's installer on the developer's official download page? This file you should consider suspicious. You can scan it with anti-malwares, but even if they report nothing, that is no guarantee the file is really clean. You can monitor the execution of the file with a HIPS product, but that doesn't mean the HIPS won't be disabled or bypassed, or that you can interpret the HIPS alerts correctly and conclude that the file appears malicious. You can execute the file in a virtual machine or sandbox, but that won't mean the file isn't virtual machine or sandbox aware malware that refuses to do anything malicious while it knows it's being virtualized, and it also won't mean that you'll be able to detect the malicious actions made by the file even if it's not virtual machine aware. So, in short, it isn't exactly easy to tell whether a file is malicious or not. Of course, you can "improve your chances" that the file is clean with rather simple actions like anti-malware scanning, but that only improves your chances, it doesn't give any bullet proof answers.

    So, if I was you, I'd start by concentrating on the issue of trust: do I trust the source of the file and should I? You need to rethink who to trust and how much risk you're willing to take. After making reasonable choices on who to trust, then it's time for the other possible measures like malware scanning, HIPS, and what not. Like the recent Energizer USB charger malware issue (http://www.kb.cert.org/vuls/id/154421) shows, sometimes you'll trust someone who made a mistake. In those cases, HIPS, malware scanning and such can come in handy. But the "primary" line of defence should be your brain.
     
  14. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Yes It call comes back to trusting what you run on your PC.
    Sometimes you'll get it wrong , but use brain first .

    One option is getting into the habit * of not installing something straight-away.
    Upload it off to some AV to check. Loads of them will test files on their machines.

    Much safer than using your own PC as a test bed !

    *Habit is the key thing here. Then you won't break your own rules in a rush and regret it later.
     
  15. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Deep Freeze, which I use on occasion, is highly bullet resistant but not bullet proof. You might also try Virustotal Uploader to checkout downloads before installs. If you are looking for bullet proof computing, try the public computers at the library. I've never gotten an infection from them except for a cold or two (a little joke lol). Always have a clean offline image just in case.

    SourMilk out
     
  16. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Please could you tell me what were your settings for NIS 2010? With all NIS 2010 settings set to max, NIS is pretty good; I'm pretty sure that the trojan and rootkit processes were unknown, then Norton file Insight and Norton Download Insight should have protected you by given you a warning.

    http://www.symantec.com/norton/products/tutorials/tutorials.jsp?pvid=nis2010&tutid=download_insight

    http://www.symantec.com/norton/products/tutorials/tutorials.jsp?pvid=nis2010&tutid=file_insight

    Thanks.
     
    Last edited: Mar 11, 2010
  17. wat0114

    wat0114 Guest

    Yup, I'd say the most important question here. If someone wants badly enough to venture into the unknown for their applications, then perhaps a "safe haven", of sorts, test bed is in order. Maybe a vm setup? Either that, or accept the risks involved with the real system and make sure you're reliably backed up to latest point and ready to restore an image at a moments notice. With Sandboxie you might be able to gain some idea of the application's characteristics - good or bad - but that seems to be mostly difficult with SB. A vm-aware virus will probably either not proceed to install or behave in some other "unexpected" way, so that should set off alarm bells right away.
     
  18. Gasp

    Gasp Registered Member

    Joined:
    Jan 13, 2010
    Posts:
    82
    I was looking to trial something which didn't offer a shareware/trialware. The application was from P2P and to be honest I did expect malware to be added into it. Most P2P does does. I did VirusTotal it which didn't show much. I did sandbox it, again nothing much. It was executing the setup file which saw an unknown loader bypass all my security and infect my system. Not really a problem, I was just very suprised it did.

    Does Norton IS 2010 have any HIPS protection or is it limited to SONAR? Yes all my settings are on full, and no I don't have the file anymore.
     
  19. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    I had started a thread back in Oct 2008 which I thought was my Bullet Proof Setup or (Golden Bullet Setup). Boy, has that changed to my current setup of SBIE, Avast 5 and Mbam (on-demand). Running this setup on a Win7 Home Premium 32 and Win Xp Pro 32 without any hiccups and nice all around security. Unfortuntaly, there are some issues with SBIE and my Win7 64 notebook.

    Ice
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    icecube are still running sandboxie?
     
  21. Gasp

    Gasp Registered Member

    Joined:
    Jan 13, 2010
    Posts:
    82
    Consider this overkill but heres what I have now...

    Norton Internet Security 2010 (Anti-Malware & Firewall, Both on maximum)
    PrevX - (Gets the 0day missed by Norton, Set on maximum)
    Threatfire (Blocks the 0day missed by Prevx, Set on level 4)

    Sandboxie (IE, Chrome, PDF)
    WinPatrol (For monitoring system changes)

    MBAM & HitMan (On-demand scanning)

    Paragon Disk Backup (For when it all goes wrong)


    If anything gets passed me this time then I will put an elephant condom over my machine.
     
  22. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Yes, it is overkill and is heavily reliant on heuristic/behaviour blocking for 0 day. If you are going to venture back to the dark side then an AV+Sandboxie+Classical HIPS (such as Malware Defender) would serve you well. Add in Virustotal uploader, Buster Sandbox Analyzer and Virtualbox and you're well set.

    If you're not venturing back to the darkside then your existing setup was just fine.
     
  23. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Yep. I switch between GeSWall and SBIE but find SBIE a bit more compatible with certain applications I use. The only issue I have is with SBIE running on Win7 64 OS.

    Ice
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    ah isee:)
     
  25. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    I'd like to know how your running prevx and sandboxie together/ There was a big issue running both together in the past.Sandboxie kept prevx out of it and never found a way to use it.
     
Loading...
Thread Status:
Not open for further replies.