Defensive desktop security software outside the Windows mainstream

Discussion in 'other anti-malware software' started by Gullible Jones, Dec 31, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    This is intended to be a list of all Windows or multiplatform security software that is not part of the mainstream sold by AV and firewall companies.

    Please read this first:
    For the purposes of this thread I am excluding
    - all anti-executable software
    - all HIPS and sandboxes
    - all antiviruses, signature or behavior based
    - all virtualization software not explicitly designed as a form of access control
    - all forensic software such as on-demand AVs and antirootkits
    - all network IDS/IPS, antivirus proxies, or anything designed for servers
    - all software that does not run on Windows, or support Windows in some way
    - all vaporware, or otherwise unreleased software

    I am also excluding, for ethical and political reasons:
    - all software that is not available to the public. I have a special bee in my bonnet about this, because I think that Jane Q. Public deserves better than to be specifically denied access to security software that actually works.
    - all software that requires a large up-front payment for the full version, does not make a trial or demonstration version available, and makes unlikely or patently false promises about its capabilities. Those of you doing this know who you are. When I see products like this, I assume by default that they are scams.

    In short: I want to create a list of currently active projects that provide Windows desktop security with some level of future proofness. This means, among other things:
    - not requiring extensive knowledge on part of the user
    - not requiring massive configuration changes to Windows
    - not relying excessively on user decisions, and not always failing if the user decides wrong
    - not being based on "enumerating badness"
    - not seriously inconveniencing the user
    - not being based on trivial stuff like intercepting process creation calls

    Okay, that's all. I will start a list of categories that I know of.

    Web content blocking
    - Noscript
    - RequestPolicy
    - uMatrix/HTTPSwitchboard
    - Script Defender
    - ScriptSafe

    These are powerful, but not infallible if the user messes up (or even not, sometimes). They're also pushing it a bit on the user decision side.

    Heuristics for alerting users to malicious web content
    - Web of Trust
    - McAfee Site Advisor

    Good idea, but there are questions of reliability when crowdsourcing this stuff. Likewise, maintenance by corporate entities strikes me as raising several conflicts of interest.

    Exploit mitigation
    - EMET
    - Hitman Pro.Alert
    - Malwarebytes Anti-Exploit

    These seem pretty effective at blocking userspace shenanigans, but their mechanisms are quite opaque unless you're a software engineer, and that worries me a bit.

    I'll also admit that I feel there's conflict of interest inherent in the desktop security industry. AV and security companies make a killing on Microsoft's OS not being secure, and therefore have a vested interest in either maintaining a level of insecurity or maintaining FUD about it. Market forces drive them to make products that are not future proof, so that they keep having something to sell, and as such I am very skeptical of the long-term efficacy of anything they market... Even exploit mitigation software.

    Oh, one more:

    Containment by hardware virtualization
    - Qubes OS
    A bit too reliant on the user for my liking, but it's the only one (and it can run Windows in a DomU).

    ... And, as far as I can tell, that is all.

    Anyone want to add a category, or an item therein? I will update the list as people post...
     
  2. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Well a good alternate DNS service helps too. One that blocks a wide array of known malicious sites. I know a lot of people hate on Comodo in here, but I know that Comodo Secure DNS has a very extensive database of known bad/malicious/rogue sites. And scam sites too, like for fake AV's and things of the like that scan your computer for free, put the malware on there, then offer a buttload of money to take them away. I hear Norton has a good one too. For privacy Chaos Computer Club and Swiss Privacy Foundation are good ones. And many swear by OpenDNS & DNScrypt.

    Not sure I'd exclude AV's. I know you're taking about defensive strategy here, not reactive, but an AV can be defensive if set up the right way... like to "Deny Access" (an option in Avira) instead of cleaning, quarantining or deleting. Not to mention you've taken away so many other options for people, like sandboxing, virtualization, HIPS, anti-ex. A common user would be screwed/naked without having an AV and with all that stuff excluded as well. Web scanning can be seen as defensive too, since it stops it at the point of attack.

    In regards to web content blocking I'd add Adblock Edge/Plus with some good filter lists (EasyList, EasyPrivacy, Malware Domains). CS Lite Mod. And Private Tab.

    If a Firefox user, benefits can really be had if one knows their way around the about:config. I consider tweaking/hardening in that manner, as I do in my OS as well, more important than any software I use.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I think you might as well scrap exploit mitigation and web content blocking. The first one can cause compatibility problems, which will make some apps not run correctly or not at all. The second one will break 70% of all sites. Except for specialized blockers like Ghostery.

    Actually, it's possible for certain script-blockers to work almost the same as Ghostery. For example, I use ScriptKeeper (for Opera 11 and 12) and when run in "Relaxed Mode" (plus a little bit of white-listing) it breaks only 5% of all sites.

    https://addons.opera.com/nl/extensions/details/scriptkeeper/?display=en
     
  4. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    253
    Location:
    router
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    For me it's key security is seamless, and invisible. Otherwise it's more of a hassle than a benefit.

    So I am always on alert for good security products/hardware/addons.
     
  6. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @safeguy - good question. For the purposes of this thread, I'm going to say it doesn't.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    How about ad blockers?

    uBlock
    AdBlock(+)
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I am curious about the point of this thread. Given all the exclusions, then only software I can see being effective is this.... C:\WINDOWS\system32\shutdown.exe -s -t 00
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Good question, and like I said, even stuff like "Web content blocking" and "anti-exploit" can cause problems for the average user.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I also don't get the "hassle" part of the whole thing. If someone says to me something like Sandboxie is to much of a hassle, I say fine, see how much a hassle it is to get infected. Take you choice. I've seen someone who got infected once every six months, let me teach them how to use SBIE, and then actually do so, and they haven't been infected since then. QED
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    I know a lot of people feel like you about blocking scripts but I disagree. Blocking content with NoScript has never caused me issues. Not even when I was an average user or before I got to the average level. Maybe it took me a year of using NoScript before most things related to blocking content started making sense but once I got into it, its easy. Last time that I had to completely disable NoScript in order to get something working in a new unknown site was more than 5 years ago (that's well within my first year as a NoScript user).

    Now, within a few seconds, I can figure what to allow and what not to allow in order to get things working in any new site that is totally unknown to me. After using NoScript for a while, you become familiar with the names of domains so just by looking at them you can easily tell whats required.

    Bo
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Pete, I was one of those users that religiously used to get infected once every six months. And spend hours scanning the computer every two or three days. That was boring and stressful. Six years ago, as I started using and learning Sandboxie and NoScript, that horrible cycle came to a full stop. Since then, no more scans no more infections and no more stress.

    Bo
     
  14. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's simple for me.. If a solution isn't standard, then each one has to be evaluated for effectiveness, and reliability/scalability. We can't deploy solutions that are custom in most situations, or ones that fall outside of the mainstream. For example deployment of Classic Shell or any Adblockers isn't a permissible thing simply because they aren't part of the core package, or support metric, and can 'break' things. Then we end up supporting extra products, services, or addons beyond the scope of the contract. Imagine a new version/update of Windows breaking Classic Shell, then having to support 11,000 machines using it without getting paid to do it from the client? It's a terrible thing to consider, and experience in the MSP field has taught us to be very very careful. I remember one client deploying 900 licensed versions of WinZip. The license expired, and we had to explain to them why they had to pay us $4,200.00 to remotely uninstall WinZip and revert the default handler to Windows itself on over 900 machines. These kinds of little things become BIG problems in business.

    On the home front;

    If a solution can be installed, and functions largely without any interaction, and is seemless, then it is something I will consider. But I cannot run around 'fixing' 40-50 devices in the home, or working on exclusions for pages/sites/domains/products. So deployed solutions need to largely be hassle free, seamless, and durable. It's quite possible this lowers protection over all, but a compromise has to be made. This is why I am a big advocate of hardware based solutions, as they have a single point of control/maint. are easy to deploy, and upgrades rarely break anything.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I see your point. But you are probably the exception. Also explains why large companies are so easy to hack. Also they have an employee problem. Good luck.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    No you misunderstood, I'm also a fan of script-blockers, mostly because they speed things up, and of course the extra privacy is also nice. But I don't think they can be used by average users, because they will always break stuff at some point, except for tools like Ghostery.

    Same goes for anti-exploit, great tools but they can always cause issues, of course no problem to us "expert users", but "average Joe" will become annoyed by it. But perhaps I'm missing the point of this thread, because the only thing that gives hassle free protection are AV's.
     
  17. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    Lucky you. I believe the aggregate of go to techs experiences are 10x more likely to be blank stares. And after the next fubar learning to stay safe happens less than 10% of the time.

    Edit: I mean: .... less than 1% of the time.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041

    Oh, I agree. But then that does keep them in business. People just don't want to bother taking care of things.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The following may violate the "letter" of your requirements, but it might fit the "spirit": partition virtualization of system partition, with user documents stored in a separate data partition.
     
  20. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I agree, but as to anti-exploit the reason is that some AV/IS implements exploit mitigation too so if they have to be excluded, anti-exploit should be too. As to contents blocker, yes it is not usable for common people. And WoT or site advisor is not far much different from antivirus proxy.

    As OP didn't define what "security" means, I'll add these:

    Patch management/Update checker (eliminate most exploit ITW)
    -Secunia PSI/CSI
    -Filehippo Update Checker
    -Software Update Monitor
    -Ninite Updater

    Encryption software (prevent data leakage)
    -Truecrypt
    -Veracrypt
    -Diskcryptor
    -Bestcrypt
    -EncFS
    -Boxcryptor

    Keystroke encryption (prevent keylogger)
    -Keyscrambler
    -Zemana Anti-logger Free

    SSL enhancement (prevent MITM attack)
    -SSL Eye
    -Perspectives
    -CertCentry

    System utility with malware inquiry
    -Process Explorer
    -System Explorer
    -Process Hacker
    -AnVir Task Manager
    I agree with Rasheed again, script blocker like NoSciprt is problem for novice user and they just want browser display the page they clicked immidiately w/out any interaction. Not many people have intention to learn about NoScript or domains. For such people, only full-automated system will meet their need and IMO such solution is quite limited, maybe AV/IS and anti-exploit except EMET.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    It's not just the novice, that no script is a problem. I put it on, fool with it, get totally annoyed and take it off.
     
  22. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    I actually love this as a concept, but the problem is more one of efficacy and convenience. If an attacker or malware gets admin access (which is easy if you run as "limited admin"), it's all over - instant rollback software cannot be trusted to roll back changes made as admin.

    Meanwhile, routine updates become rather difficult. And it does nothing to protect from data theft, which is probably the biggest issue for most people...

    Still, it would be nice to have rollback software that was theoretically safe. It could probably be done with a hypervisor such as Xen... FWIW I once tried to set up something similar, with Windows running in Virtualbox on top of a GrSec kernel and minimal Linux install, but GrSec kept killing Virtualbox for doing silly things in kernel space :(

    Edit: @Yuki2718, good point re defining security. In this case I'm defining it as safety from the OS being forced to do something the user does not want or ask for.

    Edit 2: I should start a new topic about the VBox thing actually.
     
    Last edited: Jan 6, 2015
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041

    Whoa there. I am having a hard time with the two statesments in bold. The "rollback" software doesn't care a hoot about how the changes were made. Doesn't matter how the changes were made, when you are just replacing sectors on the disk that changed. For example doing a windows update, is probably the ultimate in making changes as an admin, and what I am using has absolutely no problem in reliably undoing it.

    Please explain and back up those comments factually.

    Thanks,

    Pete
     
  24. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    I had a reply but the forum ate it... Let's try again:

    https://www.wilderssecurity.com/threads/tdl-tdss-trojan-series-bypassing-isolation-software.276152/

    That's an older rootkit that bypassed then-current rollback software. I'm sure there are more out there right now.

    The issue is that, if you can elevate to SYSTEM, you can do pretty much anything, including unhooking or bypassing a filesystem virtualization driver. If malware is running at the same privilege level as the security software, then the security software cannot be trusted to protect the OS from it.

    That's why I specified "theoretically" secure, not "practically." Practical security is all well and good, but what's practically secure today may not be tomorrow, and we all know how annoying it is for end users to be in an arms race. IMO desktop security needs to rely on something more than malware writers being cheapskates.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    ROFL, I had a few posts eaten also. Seems like the longer they are...

    Any yes theoretically a filesystem virtualization driver could be comprised. But look at say AX64 TM. It takes images and incrementals. Then the system is corrupted. But the restore, replaces all the changed sectors and system is back to normal. I've tested this. Works. Same as restoring a real system image.

    And I agree tomorrow is a new day. Hence my interest in the software like MBAE, and HMPA. No one can rest on their laurels.
     
Loading...