Conclusion I reached after 3,200 individual malware removals.

It's great, but it isn't an enterprise grade device. I deal primarily with enterprise grade devices. ASUS w/Trend is a marvelous piece of equipment, but you won't find granular policies, and it's certainly not a NGFW. Although it's a remarkable improvement in security for homeowners over say, a cheap NAT router. I wouldn't expect any homeowner to be confident with a UTM, even a fairly tech savvy one would quickly feel overwhelmed. In those cases, the ASUS would be perfect.

 

Yeah that's my view too. I don't plan to get one, but may recommend it to others that want to level up.

 

Thanks for this info, it will be great to have a resource to help with any major set up problems. I like to set things up properly once and then pretty much leave them alone.

I agree with you about most home routers, I've seen too many fails in the news lately, it is not comforting, and so I am willing to invest to gain a better security "wall" for my growing number of home/home office devices.

A question about the USG110. As I read it, it has a built on WLAN controller, but no inherent wireless capability, you have to add a module. Can I connect my ASUS AC68U router to the USG110 to achieve wireless coverage for my home?

I believe I am going to buy from Newegg for $619 which includes 1 year of UTM service. I have not seen any bundles that have more than 1 year of UTM. I have the "premiere" relationship with Newegg which provides some advantages. The Newegg pridust description: http://www.newegg.com/Product/Product.aspx?Item=N82E16833181362&cm_re=usg110-_-33-181-362-_-Product. If you can please look at this and make sure I am ordering the right thing! Thanks.

 

Is it even worth buying the zyxel USG40 ? The renew price is around $155 for the bundle.

 

If you use ZyXEL WAP's the ZyXEL can act as a controller for the WAP's, same with Fortigates. In your case this isn't necessary. Simply set the AC68U to Transparent/Bridge mode, and plug it into a switch on the network, or directly into the ZyXEL and it will act as a WAP. (wireless access point) In my case I use the RT-AC87R as the WAP, it grabs DHCP off of the ZyXEL, and provides full wireless coverage. This would be similar to your setup.

USG40 is fine, as long as you can deal with the lower throughput. (50Mbps) Otherwise it's a very fine device, with extensive malware/intrusion protection. All of these devices use the following technologies;

Antivirus/Antimalware - Kaspersky UTM
Intrusion Detection/Protection - Kaspersky and ZyXEL labs.
URL Inspection/Content Filtration - Bluecoat and COMMTouch (both engines at the same time)
ADP - Heuristic, ZyXEL Labs.

 

How does the reputation baste stuff work with legitimate files that come bundled with adware/spyware? Most of my family members only get hit with that stuff, which I find eset is particularly good at removing over other vendors.

 

Can you tell me what you mean by this? Is it somehow related to sandboxing?

 

Thin Client are virtualized(sandbox like) desktops with almost no permission rights, that can be individually terminated and restored as needed. Virtual desktop machines on a server, you can manage and secure all those desktop user environments in one central location. Patches and other security measures, along with hardware or software upgrades, demand much less overhead. And the risk that users will make mischief or mistakes that breach security drops dramatically.

 

Yes but if I'm correct that does not sound as advanced as Invincea FreeSpace.

http://www.invincea.com/knowledge-center/white-papers/

 

It's probably not as secure but when thin client is stacked with security features such as UTM's and Malware Inspection Hardware, it's fairly bulletproof.. Pretty easy to setup, I set them up all of the time for companies, and I will admit they are very very secure. There can be some drawbacks, but overall it stops clickers from clicking and ruining systems.

 

instead of reputation av you could have installed secureaplus or voodooshield on your daughter pc and password lock it and set to block and thats it. you are good to go and no worries and no need for antimalwares, etc. Although you could use shadow defender, timefreeze, etc. and good to go.

 

Yeah, and then hear complaints about installing things and whatnot...

 

Exactly. Seamless is the key.. Once stuff starts to break, or function poorly then security has overshot functionality and it's time to dial it back.

 

I somewhat regret about giving my laptop to a friend (so don't have spare PC).
But next time I build new PC I'll install Endian to current PC. It uses Panda for AV component, and some reviewer says it's faster than Untangle when it comes to throughput.
BTW, Untangle seems to switch their AV to Bitdefender?

 

The fact is, client-side sandbox is severely limited due to resource limitation.
I know TrendMicro (but not limited to them) sell dedicated appliance for sandbox analysis and also offers cloud-based analysis service for those who can't afford expensive appliance.
When it comes to advanced malware used in targeted attack, I highly doubt client-side sandbox analysis can detect them.

There're plenty of ways malware fool sandbox analysis, so current sandbox analysis have to not only build up the completely same environment with real (including desktop, applications, & network), but also e.g. simulate user interaction, analyze more than 30 min, detect sandbox-aware behavior, and combine reverse-engineering.
These thing are quite resource intensive so dedicated appliance or cloud solution is needed.

Of course client-side analysis is still useful to detect usual malware, but not for targeted malware.

 

Untangle uses Clam for the Lite, and Bit Defender for the paid. It's overly expensive, almost ridiculously expensive to pay for Untangle. Also Untangle has a questionable IPS system in my view, as they seem to use a highly truncated Snort, and the Untangle team seems to think NAT is still all that's really needed. I disagree with their logic. It's fast, light, and the Adblocker is fairly effective though so I use it.

 

Thanks for clarifying.
I agree, NAT itself is not a real security any more.
I don't say Snort is bad but at the same time have to admit it's a quite limited (or basic) IPS unless you manage to add much definitions.
I'll probably use Endian when I build next PC (maybe after Win10 release...) as I don't have much money to buy dedicated UTM appliance.

 

Yes but I think FreeSpace is more about keeping the system safe, it's not really meant for malware analysis. Also, if malware chooses not to run because it has detected the sandbox, then you have also won the battle. I think sandboxing combined with anti-exploit and behavior blocking is one of the best technologies to keep systems safe. Lots of advanced attacks on businesses would have failed if they used Sandboxie or FreeSpace. But of course their competitor Bromium has already pointed out that it can not protect against advanced kernel exploits.

 

Agreed on the won battle part. Some malware self destructs if it detects a VM/SB environment, so that's a won battle.

But I do not think Sandboxing is the best technology. I think fingerprinting, machine learning, and reputation systems are the wave of the future. It's pretty tough to sneak something past a reputation system because if the malware is new from an unknown company it's flagged. If it is old and unsigned, it's flagged. If it's common, and malware, it's flagged. It's fairly difficult to bypass such a system. When combined with fingerprinting, it's pretty tough which is why Trend has been scoring so high.

 

@Mayahana I think we're looking at territories that don't necessarily overlap. Sandboxing and access control can contain intrusions (especially if the kernel is really well secured), but won't help if a user is fooled into installing malware. OTOH, flagging files by reputation won't help in the case of some current exploit kits, which bypass the filesystem entirely (or at least wait until the victim OS is thoroughly compromised before dropping anything).

 

That's true. But the exploits should be contained by the UTM, assuming they have deployed a UTM solution (and any company is ridiculous to not have one deployed by now). So the exploit kits, and injectors will in the majority, if not all cases be stopped at the gateway.

 

@Mayahana, majority yes, but it's that one time it doesn't work that will cause problems. Filtering by UTM appliances is mainly a blacklisting approach, which means it's chasing a rapidly moving target. I suppose there are heuristics for detecting shellcode, but I'm not going to put my faith in them yet.

Also that's for offices etc. that can afford to maintain a UTM solution. Most home users don't have the skill set needed. Centralized filtering of web traffic for malicious content is probably a good thing in most cases, but I think client security can't be neglected either.

 

Well, you can always combine them. And I'm sure that UTM's and Cloud AV are quite powerful, but if I had to choose between AV's (with cloud system) and sandboxing/HIPS, I'd go with the latter. Basically, because we all know that AV's will never be able to identify all malware, no matter how good the heuristics or cloud system.

The cool thing about sandboxes is that they won't allow malware to damage and take over the PC even when they have bypassed the AV. And because of the behavioral monitoring they can also easily spot and block malware that's running inside the virtual container. Current threats like ransomware and info stealing trojans don't stand a chance, especially if files/data are also sandboxed.

 

Conclusion I reached: An AV is not necessary if you know where you click and what you start.

 

Home users just need to find a router with HitmanPro UTM inside, no hassle, just activate it in the router and the protection is amazing!

http://www.surfright.nl/en/hitmanpro/utm

I have tested a couple of solutions, Endian, Untangle, IPCop, Sophos (former Astaro) etc.
Best of them at stopping malware and exploits: Sophos, hands down, (with both Sophos and Avira engine enabled) my own testing of course. Hard to find good tests in this area.
But my present Sitecom Modem/Router X6 N900 is even better at stopping these threats. (My own opinion and testing again of course, we do not want to upset anyone)

/E