Easiest To Use Proactive Security App. & My Setup

Discussion in 'other anti-malware software' started by CogitoErgoSum, Nov 4, 2005.

Thread Status:
Not open for further replies.
  1. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    What is the easiest to use and effective proactive security application(paid or free) that uses little resources(RAM) and is a good value? Online Armor? ProcessGuard? RegDefend? Others? My security setup is as follows:

    UnHackMe
    Look'n'Stop
    Counterspy
    TrojanHunter
    Task Catcher
    WinPatrol
    NOD32
    WormGuard
    SpywareBlaster
    Harden-It
    Samurai
    Spybot Search & Destroy
    Ad-Aware SE

    I would greatly appreciate any comments or opinions on this matter.


    Peace & Love,

    CogitoErgoSum
     
  2. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Hopefully you do not run most of these programs in real time?:p

    Of the the ones you list, I have used both Process Guard and OnLine Armor and PG was definitely the lighter of the two. SafeNSec is also very light in real time.

    However, rather than adding more programs, I would look closely at your present setup and see whether you really need ALL of these for effective protection.
     
  3. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Thanks Blackcat for the advice.


    Peace & Love,

    CogitoErgoSum
     
  4. Beef

    Beef Guest

    Whats your operating system ?


    These may not be needed.....just over-doing it


    UnHackMe
    Counterspy
    Task Catcher
    Harden-It
    Samurai


    TrojanHunter if you are using win2k or XP go for ewido instead


    The above are all good programs just duplicates of other programs you are using. WinPatrol will do a fine job of warning.
     
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Thanks Beef for your input. FYI, my OS is WinXP SP2.


    Peace & Love,

    CogitoErgoSum
     
  6. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    You are definately wrong about not needing Harden-It and Samurai. They are very good hardening programs that a lot of people around here recommend using. I myself am using SafeXP, Harden-It, Secure-It, IE-SpyAd, Enough is Enough, BugOff, and Samurai. With all that, my system is still fully functional and very securely hardened.

    dja2k
     
  7. Beef

    Beef Guest

    ** please excuse my briefness its due to having a severe flu**



    dja2k

    Friend its ok to disagree....thats what discussion is all about...polite and friendly discussion is what sharing is .


    dja2k, may I ask what it is you are very securely hardened against? An if in fact as the other poster stated..you did get CWS....obviously something you are doing is not working.
    Bloat is bloat......duplicate programs is panic ware....an ware is a classic sign of a Nooob. No one said that the programs were bad...just that they may not be needed......an that decision belongs to the computer owner.

    "They are very good hardening programs that a lot of people around here recommend using. " That may be true...but so what? Its nice to have the support of others but very foolish to "follow the Herd"

    These comments are also directed at the orginal poster. Each person should consider what is best for his computer.
     
  8. Beef

    Beef Guest

    TYPO CORRECTION:


    should read:

    "an panic ware is a classic sign of a Nooob"
     
  9. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    CogitoErgoSum,

    Blackcat provides excellent advice, which is worth some expansion.

    While it is prudent to have some level of backup, it is very easy to go overboard and create system instability and/or severe drag in the process. We all have out personal levels of comfort in these matters, but when you start, the questions to ask are really not at all obvious.

    The realtime setup that I use is somewhat spartan, and evolving over time. However, there are some clear design rules that I follow.
    • It always starts with a decent NAT/SPI router to move control of unsolicited packets off the PC. There has been some dicussion over at Broadband Reports on the need of a software firewall if a router is used (see Leo Laporte says software firewall not needed!,El Cheapo Router Challenge, First winner - El Cheapo Router Challenge) I do tend to use a software firewall for application based network activity control. While I am decidedly on the side that it is not absolutely required for a home user, I must admit feeling a little naked without one running these days - an example of where my personal comfort level plays a big role in the final decision.
    • After that it is a strong AV, and I generally recommend one that obtains an Advanced+ grade in either the demand or proactive detection tests performed by av-comparatives.org. At the current time, that pool is comprised of, in alphabetical order, BitDefender/Kaspersky AV/McAfee/NOD32/Symantec-Norton.
    • I prefer two levels of backup to my primary AV. My impression is that the greatest potential vulnerabilities to a file scanning signature based AV are various steps a malware author can use to obscure the signature, or lack of a signature due to new malware. To address this, I use a memory scanning AT (BOClean), which doesn't scan files, but scans process memory in which the obscuring measures do not exist and a behavioral/proactive application that flags actions which could be viewed as potentially malicious. For the latter role, I use SafenSec, although there are a number of other suitable applications. The role of SnS is primarily to signal when registry entries are added/altered (particularly in the auto-start section of the registry) or if files in key system folders are added/edited/deleted. It does have other functions, but these are critical. Online Armor mentioned by Blackcat plays a similar role.
    So there you have it, 3-4 applications in total. I do have a bunch of other tools installed, but they are only run on-demand and infrequently at that. Naturally an imaging tool (I use Acronis True Image, but have stayed at the version 8 level until version 9 matures....) is also very strongly recommended.

    In your own case, before removing any of the applications you list, look at how they are setup. Are realtime components running? Rather than an uninstall for duplicate measures of this type, would a simple disabling of autostart/realtime monitoring make more sense since at least the capability will be readily available if required? For the parts that remain as realtime components, consider their function. Do you have all the recommended bases covered? What are those bases? Well, my own list is:
    • A general tool to flag malware files - a classical AV/AT
    • Monitoring process memory
    • Monitoring of potentially malicious actions (registry edits, other approaches to autostart a process, file add/edit/delete, tampering with another process, etc.) regardless of origin.
    • A tool to control outbound communications
    You'll notice that I don't have specific tools covering spyware, keyloggers, and the like. They are handled quite well by the applications that I listed, and I do have spyware scanners installed which I use on a very infrequent basis (my system invariably comes up clean - but external confirmation is a nice practice).

    Finally, don't hesitate to change up the mix from time to time as you learn about the available applications, current threats, and likely exposure points based on you own system usage profile.

    Blue
     
  10. Beef

    Beef Guest

    BLUE

    well put...very impressive.
     
  11. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Thanks dja2k and BlueZannetti for the input.


    Peace & Love,

    CogitoErgoSum
     
  12. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Sorry that my post was taken it that manner. It wasn't ment to come out offensive. I was just thinking of what CogitoErgoSum stated asking, "What is the easiest to use and effective proactive security application(paid or free) that uses little resources(RAM) and is a good value?"

    dja2k
     
  13. StevieO

    StevieO Guest

    Here's a couple of excellent Apps to add that i wouldn't be without and have proved themselves time and time again.

    . . .

    Watcher

    Monitors new entries in your System, StartUp and Registry etc, with various options to keep or delete etc. For 98/ME/XP etc

    http://www.donationcoders.com/kubicle/watcher/index.html

    . . .

    Winsonar 2005 XP

    Freeware Edition is a program specifically designed for process monitoring and system protection from unknown processes: Kills unknown EXE's instantly ! Also has Port Monitoring if required. For 98/ME/XP etc

    http://digilander.libero.it/zancart/winsonar.html

    . . .


    StevieO
     
  14. Beef

    Beef Guest

    dja2k

    Thank you for posting back....an hey there is no problem....lets be friendly and learn together...thats what its all about..kind of an "us against them" thing......I am sure there is lots that I could learn from you an perhaps in return I can share a tip or two with you.
    My outlook on computer security is found to be rather ususual these days......for several years lots of people have been fighting off spyware so thats what they know......on the other hand my concern has been computer security.....preventing hacking....an all that other stuff.....an people are not use to seeing that kind of attitude.......
    always I remain open minded and eager to learn whatever I can from whom ever offers to share their knowledge
    so please excuse me if it appeared I was trying to be a know-it-all......in fact I was really being very sincere.......an as you can see I don't mind explaining myself if given the opportunity......


    Well dja2k, its nice meeting you..if ever I can be of some help to you just give a call........

    Warm Regards
     
  15. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Yeah winsonar is a good free app to kill unknown processes that haven't been added to a trusted list. It also has some registry protection as well. By the way, if you plan to use winsonar, I advice using it in FAST SCAN mode for a while until you add the programs you normally use to the trusted list or else they will not run.

    dja2k
     
    Last edited: Nov 6, 2005
  16. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Thanks StevieO for your input.


    Peace & Love,

    CogitoErgoSum
     
  17. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Online Armor, yes.. but first on my list is DropMyRights.
     
  18. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Thanks Notok for the advice.


    Peace & Love,

    CogitoErgoSum
     
  19. tlu

    tlu Guest

    This approach is rather questionable because of an existing design flaw in Windows. There are scenarios in which applications, which were started with lower rights, can break out from this security context and gain admin rights.

    A better and safer approach is working under a user account with limited rights and use Aaron Margosis' excellent recommendations and tools.
     
  20. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Thanks tlu for your input.


    Peace & Love,

    CogitoErgoSum
     
  21. windowsuse

    windowsuse Guest

    Well for people who insist on running in administrator mode, dropmerights is as good as it gets for free.

    Of course, you are one of the minority here, who champions running with limited rights, which is fine but it makes running and installing none standard security software (a very important pastime here) somewhat harder. For example control over PG is almost none-existent if you don't run as admin as you yourself have noted.
     
  22. tlu

    tlu Guest

    No problem here - just start PG with the "runas" command. Other software requiring admin rights can be started using the MakeMeAdmin batch by Aaron Margosis.
     
  23. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Of course. Processes with reduced token privileges can also still communicate with system processes as well. The DropMyRights page does outline the limits of what it can do for you, and why you should still run as a limited user (including links to Aaron Margosis' page) There are privilege escallation exploits that would work under a limited user account as well, including shatter attacks, buffer overflows, third party application vulnerabilities, the default screensaver, and any number of things can are more likely to be exploited (and have been). There have been lots of these things patched already, like the printer spooler service, and I'm sure that we will see more. DropMyRights or running under a limited user account is no substitute for other security measures, but it does help, and it uses no resources. IMO it's a very basic measure that you build on from there.. the ultimate goal is to prevent malware from getting on your system in the first place.

    The particular scenario you linked to could probably be worked around by disabling the Secondary Logon service, I would imagine, since this disables the "runas" function, and malware wouldn't be able to install as a service without using another privilege escallation exploit. Thanks for the link, though, I do appreciate that :)
     
    Last edited: Nov 10, 2005
  24. tlu

    tlu Guest

    Indeed, and because of this I'm still convinced that a limited user account account is the superior approach. You have no write access to the system folder, no write access to a large part of the registry, and there are lots of other advantages. This makes it lot more difficult for malware to harm your computer (although I definitely agree with you that other security measures are still necessary). Working as a limited user is not that problematic as many Windows users mght think once you're used to it. And the mentioned MakeMeAdmin batch makes it even more comfortable.

    As for DropMyRights, the crucial problem is Windows messaging. Let's say you are running IE with limited rights, there is still explorer.exe running with admin rights. This process can be "telecontrolled" by some malware to start another program with admin rights.

    On the other hand, shatter attacks in a limited user account can't cause much damage except for badly programmed services (which do exist despite the warnings by Microsoft).
     
  25. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You definitely won't get any argument from me about running as a limited user, and I'm absolutely not trying to disagree with you that DropMyRights is "just as good", but keeping in mind that most users can't or won't, DropMyRights is the next best thing. (Yes, I've been to Aaron Margosis' blog, it's linked on the DropMyRights page in the heavy warnings that DropMyRights is no replacement for running under a limited user account.)

    There are plenty of exploits either way you go (with DropMyRights or using a limited user account) which is why I think hardening, getting all patches & service packs, and using at least the basics is also necessary (btw, the makers of ComputerSecurityTool also make a free tool to remove the Windows Messenger, also NetMeeting). With DropMyRights you do have the same restrictions, it's just a matter of the exploits available to bypass them. Hardening and using other security software will help that. If you can get a sandbox like DefenseWall, then that's even better (with DefenseWall it won't even be able to see that explorer exists). Since not that many people use DropMyRights, I tend to think that if any exploit is going to be used by malware to get around it, it's going to be an exploit designed to elevate privileges from a full limited user account, in which case you're going to need other defenses anyway.
     
Loading...
Thread Status:
Not open for further replies.