How light can you go?

Discussion in 'other anti-malware software' started by Kees1958, Jun 6, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well,

    My Son needed a laptop for his study. It is a more or less a forced buy from his university, with a few options. So we decided to use the cheapest one.


    Setup will be

    Vista 32 bits 4 GB RAM (old DDR2), we will be using the non addressable RAM as RAM Drive for teh swap file

    FireWall :thumb:
    No question, we will use the fastest two way firewall, low overhead FW available for Vista. Thanks to Stems post https://www.wilderssecurity.com/showthread.php?t=239750
    (and a little help from Vista FW control free, to get the correct paths and executable names to manually allow)

    Intrusion Protection
    UAC/Norton UAC :thumb:
    No Question again. We will use the fastest/lightest Intrusion detection available on Vista: UAC. To remember choices we have selected the freebie Norton UAC Tool, BYE BYE ROOTKITS

    Windows Defender
    Joined the advanced group, Deselected scheduled scans and the on-access scan. WD will still check doownloaded programs, but uses very very few CPU cycles now. Also the other Agents will still warn you when an intrusion occurs, BYE BYE SPYWARE.

    Virtualisation/sandboxing
    Chromium/Iron's Internal policy Sandbox :thumb:
    We downloaded the fastes lightweight browser, the completely desinfected version of Chrome: Iron of SRWARE. We used the mobile version, becasue it is easier to contain/further limit. Iron (chromium) has an internal sandbox.

    The VISTA virtualisation trick with UAC! :thumb:
    Just to be sure we right clicked on task manager, clicked VIEW, selected Columns, choose Virtualisation (see pic). All Internet facing programs were forced to run virtualised (simular to run in protected mode like IE8 ). Also Foxit (PDF) Flash, etc set to this mode.

    Software Restriction Policies
    PrettyGood Security :thumb: :thumb: :thumb:
    YES it is there, the great Pretty Good Security, just PM Sully when you want to beta test. Version 1028 running great. SRP Policy
    a) All Internet facings programs run in LUA, except IRON
    b) The user space (in our case D:\Data or the moved My Documents) has a DENY execution

    EdgeGuard Solo :thumb:
    Runs OFFICE and IRON as limited. Advantage: With Edge Guard Solo IRON runs when SRP is on all executables (otherwise you have to exclude DLL's), downside EdgeGuard does not protect against Direct Disk access, but this is compensated with virtualisation.

    AntiVirus/Blocker
    Avast Standard Shield
    We used Avast free, only standard module [noparse](we have moved the e-mails of OutLook Express to D:\Data\Mail and contained them with Pretty Good Security 102:cool:[/noparse], so only the standard shield is enough). We only check on execute the old DOS and 16 bits Windows Programs, 32/64 bits and dll's are not checked.
    We have deselected READ scanning, so only checking on Write of new or changed Executables. Normally Writing is to late, but AVast has its VRDB data base to fall back to a previous executable (un infected)

    Avast Blocker. :thumb:
    We also use the old fahioned BLOCKER (see advanced options standard shield) to throw a warning when an executable is RENAMED. The funny thing this RENAME also prompts into action when an executable is MOVED!. This closes the gap from any malware being able to move its exectuable from the user space (where it can not execute), to the Admin/system space (where no SRP is in place). PERFECT!

    Bottom line
    An amazing light setup, safe and super fast (checked with benchmark programs).
     

    Attached Files:

    Last edited: Jun 6, 2009
  2. Luxeon

    Luxeon Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    127
    That is VERY cool!

    Silly question: how do you know which programs are internet-facing (I am unfamiliar with the lingo)? Are you describing browsers and mail programs?
     
  3. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Awesome setup there Kees, you put a lot of thought into efficiency.

    Off-topic, really enjoy Iron, but find when the spell-checker identifies a word, when you right-click, it crashes.

    Also with Windows Defender, once it alerts you of a possible change, how effective is WD in preventing the change? I liked how light it was, but found to 'undo' a system change it had alerted me to, it would report back something like 'change could not be made', or along those lines. :doubt:
     
  4. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Interesting. Can you explain what you are doing with PrettyGood Security/SRP and the Vista virtualisation trick with UAC?
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes e-mail, webbrowsers, Peer-to-peer, messenger, windows media player, etc.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    those program that uses/conect to the internet are target by hackers and cyber crminals so it is better to close doors;) seal the doors at all times to protect your privacy/files and pc:thumb:
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well, on Vusta with UAC it is stronger than on XP. I agree that on 'heavy' malware it sometimes warns, but can not prevent system from shutting down. I have OSAM and Process Hacker when WD fails to un-do (look at history in WD).

    It is much lighter when you disable the on execution scan of the real time agents

    Did not know about the bug of Iron, alternativelu just download teh latest Chromium Portable and start incognito by default.
     

    Attached Files:

    • wd.JPG
      wd.JPG
      File size:
      77.8 KB
      Views:
      1,344
    Last edited: Jun 6, 2009
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Pretty Good Security is a new SRP utility. It gives you the SRP abilities when using XP Home or Vista Home. I block all execution on the My Documents folder (moved to D:\Data).

    Mail Sully he has developed it. It works well (I have tested it). Mail him when you want to try.

    Vista Virtualisation. It virtualises access to e.g. HKLM\Software registry changes and C:WIndows, C:\Program Files changes for the programs you mark in task manager.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    We ran some benchmarks and beat some other freeware setups, some marginal (e.g. the latest CIS, 17% more efficient on CPU and 7% more efficient on internet, this sounds a lot but with the low resource usage both have the absolute difference is fractional), some by far (e.g. Sandboxie).
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    67 processess is light o_O

    Just use a hardware firewall, Sandboxie and Returnil for a superlite and exceptionally secure system. :thumb:

    Turn off and or delete anything MS security related as it's useless bloatware.(IMHO) ;)

    Taskmanager.JPG
     
  11. Mosqu

    Mosqu Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    69
    Location:
    Germany
    I just use a little bit of common sense, Windows Firewall and Prevx 3. It's not for free but easy, effective and extremly light.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    And if it works for you and you're happy then stick with it.

    No need for all those fangdangled fancy setups that Kees is constantly espousing.

    Here I can't have or don't want any realtime blacklist/hips scanners as I want everything to come through unhindered in order to test for new malware samples.

    Sandboxie fits that role perfectly here.
     
  13. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    Kees, I have a question. I can turn on virtualization for let's say Firefox (while it's running) but when I close it out and then activate it again virtualization is no longer enabled. So my question, how did you get it to remain enabled? Or did you have to enable it each time you activate an internet facing application?

    Thanks.

    Later...

    BTW, I'm running Vista Ultimate.
     
  14. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    My setup is as light as it has been in a long time. Windows Firewall, Prevx and Defensewall and a lot of common sense. I think my days of running umpteen security programs at once are at an end.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    What is so complicated about Kees setup? He is using a firewall, windows at that, so not much really to mess with there.

    Chrome, sandboxe sort of deal, not really different than sandboxie.

    SRP, which does not have to be complicated.

    UAC or variation of this. UAC is default anyway on Vista/7.

    Antivirus, which pretty much everyone should use unless they really know what they are doing. At the least if will monitor for older virii that might still float around.

    Finally he has some sort of specialized blocker for file renaming or other such thing.

    I don't see how this is much different than most peeps setup, except for the SRP rules and a sandbox via chrome.

    Am I missing something, because I think this layout is fairly straight forward with not much involved.

    Sul.
     
  16. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    The differing approaches by Kees1958 and Franklin go to show that there are multiple ways to achieve a secure system.Both of the set-ups mentioned would make malware infection extremely unlikely so it's just down to personal preference which method to employ.:)
     
  17. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    How do you use UAC to start certain programs with lower rights?
     
  18. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    Google UAC Virtualization. There is some info out there about this approach but nothing too extensive (at least from what I've found so far...but I'm still looking).
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Trespasser,

    I will have to ask my son. He is on a rugby tour right now, will be back next week. He created a user account which asks for admin password when an elevation request is required. I also know he plays with powershell scripts (I fear he gave me the simple version on how it works :oops: ).

    I clicked a few links on his laptop he had saved: http://blogs.technet.com/richard_macdonald/archive/2007/05/18/990366.aspx

    Regards Kees

    Regards Kees
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    He set up another account, editing the KLM\Software\Microsoft\Windows\CurrentVersion\Policies\System with regedit

    "ConsentPromptBehaviorAdmin"
    User Account Control: Behavior of the Elevation Prompt For Administrators in Admin Approval Mode
    0 = run in quite mode (keep UAC on, but automaticallu elevate to Admin)
    1 = run UAC, when an elevation request occurs, your are asked to enter the admin password
    2 = run UAC, prompts for confirmation to continue a task which requires admin rights (default)

    "ConsentPromptBehaviorUser"
    User Account Control: Behavior of the Elevation Prompt For Standard Users
    0 = no pop-up, disallow/block when UAC is and running as limited user account
    1 = allows you to take over the credentials of the admin by entering account and password
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ha your are wrong about the number of processes as a benchmark for efficiency. Tip: Use a better performance monitor than taskmanager, Total CPU time, CPU spike variances and I/O overhead are far more important than number of processes.

    You are right about Returnil, it is an effective solution to freeze the setup of a PC running admin.

    Wondering how you were able to delete OS-related security features of Windows and still have a PC that boots by the way
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ad 1 see pic, it is an old feature of Avast, a little useless nowaday, but in combination with Pretty Good Security a nice counter measure to prevent moving an executable from user space (where SRP rules) to the admin/system space.
     

    Attached Files:

  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    vLite for a base thinning then delete the feck out of it after install.

    All I can say is that if anyone thinks they need UAC then they probably do.

    Limited user account - bah.

    After desktop comes up after a fresh install get Vista to show the full blown admin account at reboot and select it then delete the account you are forced to create at install.

    No more right clicking cmd and selecting "Run as Administrator" as it starts in admin mode.

    But if you want to use your system like having to crack a safe and a lack of confidence then that's your choice.
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    For years, people have been complaining about the insecurity of Windows systems. When Microsoft finally does something about it, what do they do? They (users) don't give a damn. The most sad thing, is that, advanced users advice casual users not to run UAC because is annoying. I have a different opinion, so has my family running a limited user account and software restriction policies, which in terms of limiting, it only limits changes to important system parts, so it won't limit, for example, an e-mail client from getting e-mail messages, a web browser from browsing the web, etc.

    Now, I'm not saying that you don't feel comfortable running in full administrator account.
    If you got the knowledge to be using an admin. account or have the time to check what's happening in the system, then go ahead. But, that's no reason to say/advice to others to do the same.

    Would you feel safer if I tell you to stop taking your shots, just because it won't prevent you from dying? Its a waste of time, a waste of holes in your skin, a waste of money (if you pay for your shots). Bottom line, you live for your shots, believing they will save your life. What for? What's the point?

    Why live in fear?

    What if I tell you I don't take any shots... Am I the one not having lack of confidence...? This would be living in full admin. control, right?


    Cheers
     
  25. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    I wouldn't call them advanced users if they go so far as to make the basic mistake of not running UAC not because of any software/hardware problems, but because they think it's "useless bloatware".

    Ignorance, coupled with the confidence/belief that one is knowledgeable, is a very dangerous combination indeed, both to the person himself and those around him.
     
Loading...
Thread Status:
Not open for further replies.