How unhackable will this setup be?

Discussion in 'other anti-malware software' started by axfleming, Apr 1, 2007.

Thread Status:
Not open for further replies.
  1. axfleming

    axfleming Registered Member

    Joined:
    Apr 1, 2007
    Posts:
    13
    Hello.
    Having followed your forum for a few months and benefiting from the excellent advice, I would like some opinions on a security setup.

    How secure do you think this will be:

    A Win2k PIII DP server with 1gig ram running a 256meg WinXP VM with uTorrent, Nod32 realtime, AVG Antispyware realtime and Superantispyware realtime.
    uTorrent is mapped to a autodownload directory and a completed directory on the server so files can be saved and downloaded without opening up a VM console.
    In addition to Winroute, F-Secure Internet Gatekeeper and Squid+Privoxy, the server will run Symantec AV Client realtime, with a scheduled task kicking off every 5 minutes to both run a manual Kapersky AV scan and to move checked files to a safe directory.
    In another VM, software is installed in either a SVS layer or a Thinstall archive, with either of these being installed to their final destination.
    Now is any form of realtime protection necessary on the workstations, aside from maybe SSM?
    Winroute+F-Secure blocking ports eliminates need for firewall,
    Squid+Privoxy blocking ads, animated gifs, javascript, etc,
    Three anti-malware engines blocking viruses and spyware in addition to two antispyware engines,
    and SVS or Thinstall should help keep the registry and Windows directories tidy.
    With browsing of "unsafe" sites done in the XP VM, which can be reset in a minute, safe browsing can be done on the workstation.
    With no realtime protection needed on the workstation, I can eliminate software conflicts and get the full use of my cpu power, with the server hard at work keeping out the baddies from the basement.
    Is this feasible, the best of both worlds, top protection with no overhead?
     
  2. besafe

    besafe Registered Member

    Joined:
    Mar 29, 2007
    Posts:
    222
    I can't help you with your question as I truly don't know what hackers are capable of and what they aren't. However, the best advise I could offer is not to advertise what you plan to defend your system with because:

    1.You might be presenting an unresistable challenge to the lurking hackers and

    2. Once they know what you are using, hacking your system probably becomes much easier
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,

    Unhackable:

    Do you mean cracked from external source?
    OR
    You execute something locally?

    Mrk
     
  4. axfleming

    axfleming Registered Member

    Joined:
    Apr 1, 2007
    Posts:
    13
    Ok, maybe a little background.
    In my company, I have been given the "enviable" task of checking warez, torrent, keygen etc sites to see if our software has been cracked and available for download.
    If I discover any, I download it and analyze it to see what mechanism the hackers used and give recommendations to our developers.
    Our CIO recommends using a VM for all sessions, but it is a pain to work permanently in a VM session.
    So I am primarily concerned about inbound security from these dangerous sites, and malware protection from illegal warez.
    As for knowing what hackers are capable of, who knows really what the human mind can conceive?
    I know 100% safety may not be possible for this scenario, but maybe six nines?
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi,
    How unhackable?
    Depends, consider Mrkvonics questions!
    As for the job in hand I think your CIO knows what he is talking about - I don't understand, 'but it is a pain to work permanently in a VM session.'
    VMWare Lab Manager, Workstation would be my premiss, or if working alone, Workstation - vms and your tools.

    I don't think all those realtime would be necessary, I would certainly worry about overhead.
     
  6. axfleming

    axfleming Registered Member

    Joined:
    Apr 1, 2007
    Posts:
    13
    Hello Meriadoc,
    I guess my questions come from my experience (or lack of) with malware.
    I have been working with PCs since the DOS 3.31 days; DRDOS, OS/2 2.1, QEMM, 386MAX, Stacker etc.
    Those were the days when you had to spend 500 bucks for a word processing program (I bought WP 5.1 for DOS).
    So I have accumulated almost 15 years working with PCs, and I have never had a virus infection, never had a trojan, never a rootkit, and I am wondering what all the hype is about!
    I check all the "dangerous" sites, and have never had to reinstall because of malware, but I have had to reinstall because of legitimate software which I paid for.
    I just don't understand the current state of paranoia.
    Everyone is putting in their sig all the different apps they are using for protection, and sometimes I wonder if these people are just bored looking for a problem to support their solution!

    I just don't get it.
     
  7. axfleming

    axfleming Registered Member

    Joined:
    Apr 1, 2007
    Posts:
    13
    @Meriadoc,
    Overhead is not a problem currently.
    So far, with Squid+Privoxy blocking ads and animated gifs, I am getting faster speed than using even solo Nod32.
    Personally, I think that is the way to go for the future.
    Have an old clunker where you can offload all this unnecessary defense crap, and have your workstation behind this layer.
    I installed AVG antispyware from late last year; by default, it had 500,000+ malware sigs.
    After I updated, it had around 750,000 sigs!!
    It is unrealistic to think that your workstation can defend against an ever growing amount of malware apps!
    Imagine when it gets to 3 million sigs!
    Ultimately, everyone will have to move to having a dedicated malware checking
    solution.
    Check out Bill Gs demo of the home server MS is trying to sell.
    Offload the security checking, and free your machine.
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'd say:
    "Move the blacklist to the gateway/perimeter and use whitelisting/forensic tools in the workstations"
     
  9. EASTER.2010

    EASTER.2010 Guest

    Hello and Greetings today axfleming.

    Some of that summation is indeed fact but the latter not the former. LoL

    There's no such thing as boredom when you have ever suffered a severe system intrusion courtesy some website laden with malware/droppers or another failure attributed to laced online software who's mission in that occupation is to create Maximum disappointment for as many end-users as possible. Get's real personal when it's YOUR personal investment tampered with.

    Myself, i do now go looking for problems, (research/submission purposes) but am also well guarded against permanant attachment by any of them, courtesy this huge inventory of securityware which is built up over time. Once you been officially initiated into the consortium club of suffered malware infestation and all the frustrations/wasted time that go hand in hand from them, believe me you never forget it, and you guard ever so more gallantly against ever repeating such an experience again no matter the load of shieldings available.

    You're one of the lucky one's, hope your luck and especially planning, continue to serve you as well as always.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hell,
    axfleming, you're quite right dude about the hype.
    But you must remember ... for most people here, it's a hobby. Just like collecting stamps. Or buying more shoes.
    Mrk
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Install Deep Freeze and Anti-Executable on your workstation. That and a firewall is all you need, and you will be safe in browsing the sites.

    With AE, any attempt to remotely download an executable will be blocked (White List protection).

    With Deep Freeze, A reboot will restore to previous good state, and your Windows directories and Registry will stay pristine.

    Then, if you need to download/analyze something, you can do it in a VM if you want.

    I regularly test malware (let it run) with the above setup with no problems.

    Same here (14+ years)

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    axfleming:
    :) Yes, and hundreds to thousands for a drive (Megabytes)
    I'm all for that.;)
     
    Last edited: Apr 5, 2007
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    How is the F-Secure Internet Gatekeeper in your setup - I've been testing Astaro (now free) for a while now, but I do have a NG1100 appliance which runs an optional antivirus, antispyware, url filtering, certificate analysis, behaviour and zero-day protection.
    Is it a full product, I'm just thinking if you are overlapping.
     
    Last edited: Apr 5, 2007
Loading...
Thread Status:
Not open for further replies.