FACE IT

Discussion in 'other anti-malware software' started by EASTER, Aug 6, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    The best of the best security apps are only going in circles now.

    Does anyone see any new entries in this securty field anymore? NO!

    Just basic improvements, and plenty of issues that come along with them to boot.

    The future is solidly in HIPS and if it were possible a reliable & dependable SMART behavioral blocker.

    So where are they now. Look things over, even SandboxIE is about run it's course. AV's are a crap shoot at best, there are at least 2 AS's that are very reliable IMO, SAS & MBAM, everything else pales in comparison.

    A super quality HIPS is the trend of the present and future for NT Systems for end users, theres your absolute SHIELD against lamer malware writers and they know it. I read their forums all the time, and they are nearly out of ideas that used to make headlines. Newbies are their their only targets because, Sandboxes, Virtual Systems, HIPS and hardening like SRP all but wastes their efforts now. They can't reach end users who are properly equipped with today's latest innovations.

    All this talk about browser compromise is a joke, i still use IE and they can't even cross the first line of defenses, their all but dead on arrival.

    Add a ISR or better yet keep updated System Images OFF-CONNECTION and they are a joke.

    Many great thanks goes out to developers like Tzuk, Ilya, Nick, Mike Woods, and some more who have ripped those malware lamers efforts to shreds and have rendered then them totally useless.

    All they have left now is to probe Vista to see what they can do with it, but with NT systems, their efforts have been checked and stopped dead in their tracks.

    THANK YOU SECURITY EXPERTS FOR EVERYTHING YOU'VE DONE AND CONTINUE TO DO AND YOU FELLOWS ARE TRULY THE MASTER GLADIATORS NOW AND YOUR EFFORTS AND TALENTS HAVE PUT THE JERKS ON THE DEFENSIVE MORE SO THEN THEY THOUGHT THEY HAVE DONE TO THE WINDOWS SYSTEMS OVER THE YEARS.

    In other words, the tables have drastically turned and you guys/groups are the REAL CHAMPIONS!!

    Thanks
     
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I tend to agree with you Easter. IMO, the reason we don't see any major innovation in security software is because there's not much to improve. All presently known threats can, AFAIK be defeated with current solutions. Of course not with "one do it all", but with a INTELLIGENT combination of products...
    If only Shadow apps like Returnil could protect against RAW disk access, I wouldn't need anything else (for now....)... Gladly some are already in a good track for achieving this...
     
  3. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    @ HURST. When you say defeated, do you mean cured or prevented ?

    Blocking should be first and foremost in the mind of security app. writers. IMO Not detection after the fact which then usually involves cleaning. Not always an easy task.
     
  4. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    I guess some products still need some work to remove some kinds of rootkits, although they are able to prevent their installation, apart from that, I agree with HURST.:thumb:
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Agree

    A roadway guardrail is positioned at dangerous points BEFORE and to prevent serious injury BEFORE the fact an not after to prevent ahead of time problems to use a crude analogy. The same though also applies to our investments/data as a precaution because it's better for everyone to have some buffer of protection ahead of dangers that can cost time, money, or loss of important information you would rather protect BEFORE the fact then having to clean up AFTER the fact from which some things may never be the same again AS BEFORE.

    EASTER
     
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I was talking PREVENTION.
    After an infection has taken place, sometimes the only thing left to do is a reinstall.
    Or take for instance the ransomware...there's no cure for that. But it can be defeted BEFORE it does any harm...
     
  7. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    Agree. These are the only ones I recommend
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    You welcome.
     
  9. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Well, that's very biased.

    I don't have a HIPS, although some of my security software has a few HIPS like features.

    I have a firewall, an antivirus that includes some antispyware protection, and two antispyware programs, the latter two with real-time/active protection.
    And I'm not using SAS or MBAM.

    Except for a few cookies, I've found only one low risk adware infection and a few cookies (detected by using an on-demand scan) in the past 12 months. :rolleyes:
     
  10. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Personally I think virtualization is the future. IMHO HIPS will never catch on until they "dumb" it down for the masses. I know most will just say "my (insert age here) daughter/son/grandma/whatever can use HIPS just fine....ok, good, but too many are left than cannot. Even with a simpler form such as Threatfire, how many average Joes are going to know what the hell Threatfire means by "suspicious action"? Not many. You guys have to come away from the forum for a few minutes and take a look at your average computer user, people that don't frequent these forums.

    HIPS, even the simple ones, take SOME learning. Your AVERAGE user does not learn, he/she surfs, banks online, plays games, stores personal data, and logs off until the next use. They need a TRUE set it and forget it app, which is EXACTLY what apps like SandboxIE and Returnil are (keylogging protection in SB being one exception). VERY, VERY little can get past either app, where a user can shoot him/herself in the foot with a HIPS just by picking the wrong answer. Until that is no longer a case, thinking HIPS is the future is only looking at a partial picture, IMHO.

    AVs may be a crapshoot, but they still have a use. And, and AV alongside an updated browser (even IE), SandboxIE, and Returnil, make for a damn near undefeatable wall of protection. All a user has to do is delete the sandbox, or, even better, let the sandbox delete itself, and reboot, and every bad thing that even attempts to hit them is gone without a trace, and the user didn't once have to read and look up some "suspicious action" and pick the wrong answer, resulting in computer hell.

    HIPS are nothing more than a hassle to your average user, including even some members here. And, until that hassle is either completely gone or lessened greatly, HIPS is not the future of anything. In fact, it'll remain what it is now, a novelty among those "in the know".
     
    Last edited: Aug 6, 2008
  11. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Blacklist scanners still have their function. They provide certainty that a file is bad (yes there is the odd FP). A good AV, user education (and policy in the enterprise) provide good protection.

    Classical behavior blockers are a niche products however 'smart' behavior blockers and pre setup sandboxes are a good layer of defence for the average user.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why do we need new entries? The basic methods of delivering malware have not changed, and there are many preventative measures already in place.

    Ways of tricking people to click have become more sophisticated, but this is a people-problem, not a security application problem.

    CNN Daily Top 10 leads users to site hosting malware
    http://blog.mxlab.be/2008/08/04/cnn-daily-top-10-leads-users-to-site-hosting-malware/
    cnn.gif


    ---
     
    Last edited: Aug 6, 2008
  13. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
    I agree with dw426.

    I notice a trend where many people are claiming to have the perfect solution to all malware. These "perfect" solutions mostly consists of a collection of often complicated or annoying to use software from various vendors. These people heavily protest against the all-in-one suites, often ridiculing other people of less technical know-how for using these "simple" solutions. And if some of these people were king of the world they'd also make all people get mandatory computer "drivers" licenses, so that no one would ever screw his computer up again.

    But the fact of the matter is that the greater majority of the people who use computers don't have any knowledge of computer-security and malware. They either truly don't understand it, or they don't want to understand it. And the reality is you can't expect all people to understand it. Just like you can't expect all people to build there own television, car and house from scratch.

    -HIPS are far to complicated for the majority of the people.
    -Manual firewalls alerts are to complicated or cryptic for the majority of the people.
    -Virtualization can be annoying for the majority of the people because they aren't in a solid environment. They constantly need to reboot or temporary disable virtualization to make permanent software/system changes, etc.
    -Limited user accounts can be irritating for the majority of the people because many software tend not to work properly then.
    -etc.

    Conclusion: security vendors can improve upon many things, and by that I mean improving the usability and simplicity of security software. Make more security software accessible and easier for the majority of the people. Applications needs to get smarter, the actual decisions should be made more by the security software and less by the computer user.
     
    Last edited: Aug 6, 2008
  14. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    There's no 100% slam dunk, guaranteed solution, but you can come close. Take a Defensewall and Sandboxie and I believe you're just about as secure as you can ever be. The authors of both Defensewall and Sandboxie are very quick to fix any problem that is discovered. You can replace sandboxie with geswall, bufferzone or similar program.

    Really, from a lot of reading on Defensewall (since I'm hinting to my wife for a birthday present in a couple of weeks), I think DefenseWall by itself just might be the Only security software you need.

    I'm aware of the layered approach, so throw in geswall or sandboxie and an on demand av and SAS, and you're good to go anywhere safely.
     
  15. Killtek

    Killtek Registered Member

    Joined:
    Feb 22, 2007
    Posts:
    100
    I say next gen virtualization is where they can take security to the next level.
     
  16. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Well said, dw426. I probably qualify as your "average user". Well...maybe a little more than that. But it's not that I don't want to learn HIPS. Instead, my thinking is this: If there is computer security available that is simpler yet effective, then why shouldn't I pursue that approach? That's why Sandboxie is my security preference for now. True, with Sandboxie I don't see pop-up alerts telling me when something is trying to run on my system. But do I care? Not really.

    One footnote edit: Regarding the keylogging / SBIE exception noted by dw426, the consequences of picking up a keylogger can be mitigated by (a) setting up and using a special sandbox for sensitive web activity and (b) configuring that sandbox to disallow anything from accessing the web except the browser.
     
    Last edited: Aug 6, 2008
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i agree 100% and that goes also for those firewall with bunch of pop ups
    when you are not the only one that use the computer then is better to have something silent,or close to none pop ups(wife be happy):thumb:
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    denniz, you make very good points about complexity in software.

    The much-feared drive-by download depends on sneaking in the malware behind the scenes and the user sees nothing happening. For the home user, I want the simplest application keeping watch over things. This would be a direct Default-Deny alert, where the user has no decision to make. Of all of the solutions tested here

    Blocking Drive-by Downloads
    https://www.wilderssecurity.com/showthread.php?t=214369

    only two fall into this category:

    Software Restriction Policies

    [​IMG]

    [​IMG]
    ______________________________________________________________________________

    Too complicated to set up and maintain? Anti-Executable is the other true Default-Deny solution:

    AE-block.gif
    ______________________________________________________________________________

    All other malware attacks are a user problem. That is to say, the user consents to download/install.

    Other examples.

    1) From another thread:

    2) email

    [​IMG]
    _____________________________________________________________

    There are two solutions:

    1) Hope that your security stuff will flag the malware

    2) Consider your sources.


    ---
     
    Last edited: Aug 6, 2008
  19. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Rmus, am I correct in thinking that AE basically has to be shut down in order to allow an executable to run? If so, even if it has "whitelisted" all others on the individual system, wouldn't there be great risk in running an installation with it turned off? Also, would such protection still fit in with my previous definition of "average user", you know, the same ones that download this and that, change their systems on a weekly if not more frequent basis? I think the true answer to security on the internet is the following:

    1. Regulation. Instead of blasting people for not knowing how to protect themselves from malware/viruses, create an effective way to go after the people that create and use the malware/viruses. We can't rightly be angry with people for not protecting their systems and not try to fix the problems that are causing them to have to take all these security measures in the first place. Of course regulation is a problem because let's face it, people by nature want to be free to do whatever they please, and they don't want governments intruding upon that wish.

    2. User education. Explain in terms a simpleton can understand, what these things are, how they work, how they get on systems, and how NOT to get them WITHOUT using security apps. The problem here is the same with HIPS and with regulation, and that is people want to be free to do what they please, and they don't want to spend the time they could be surfing/gaming/banking/chatting, to learn about threats and the prevention of threats.

    So if you REALLY want to boil this down, the solution to security is that there is no solution as long as nobody is watching over the internet and as long as users don't want to spend precious time figuring out what websites are safe (which that alone changes almost daily), and how to not be hit with these things, all the while still being able to do whatever they please.
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is true. AE is not a HIPS program. It has one duty it life, block unauthorized executables.

    I've used AE in homes where all are "average" users, and it works for many situations:

    1) parents control what gets installed

    2) No drive-by downloads -- My Space and Facebook included

    3) Inadvertant clicks on email attachments which download executables are blocked

    If a person makes changes, frequent or otherwise, that is to say, authorizes an installation, we are in my "user-problem" category, where the user has to make a decision.

    I have not found this to be a problem where people download legitimate software from reputable sources.

    Looking at the hijack forums, it's evident that people figured their security would protect against downloading from not-so-reputable sites, and it didn't.

    This, of course, is the real solution. How to do this? Not an easy task. I don't believe it can be accomplished at a distance. My experience has been that One-on-one is the most effective.


    ---
     
  21. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    That's one reason I stopped using AE. I started thinking, if I download something, I need to turn off AE to open it. If there was something nasty in that download, when I restarted AE, it would be accepted as okay, or that's how I understood it.

    It's why they recommend you install AE on a known to be clean computer, like a fresh install, because everything on your computer is considered okay by AE.
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That is correct. How does one decide if something is safe or not to install? It seems to me there are two choices,

    1) Scan the program

    2) Trust your instincts and source

    Neither is 100% effective, so I see no difference in which one chooses.

    It all depends on one's "comfort level" and peace of mind.


    ---
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    And a general user's comfort level and peace of mind is "well, it can happen, but it won't to me, I know what I'm doing" Followed by "Um, I didn't order all this stuff" in a phone call from their bank, IF they get that call.
     
  24. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    You are absolutely right. Since three month now I have been running with only DefenseWall, my router and Kerio 2.5.1 for Outbound protection. And guess what, when I scan once a while with Dr.Web CureIt or SuperAntiSpyware, they never find anything...
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    correct, Geswall is all I use, I have thrown some pretty ugly stuff at it and nothing has gotten through. It is all I need just as those who use Defensewall. Hmm, seems I said that 4 weeks ago.:doubt:

    Bottom line is, you dont need any stinking AV or Suite. Time to make a pine box for them.;)
     
Thread Status:
Not open for further replies.