Knowledge challenge

Discussion in 'other anti-malware software' started by Kees1958, Nov 20, 2006.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Okay members of Wilders this is your chance to show and share your knowledge.

    What is the idea?
    Setup a multi layered defense architecture with as little overlap as possible. Use the diagram to fill in your selected set of security aps.

    What is the challenge
    To argument your choices, e.g. I do not want pop-ups therefore I use community based security programs or I do not want to pay for security aps or I think two consequetive layers of defense nonsence because . . .

    What is the reward
    Respect of the Wilders Members, have fun
     

    Attached Files:

  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Re: Knowledge challenge example

    Okay, since nobody dared I will give it a try

    When setting up a multi layered defense my preferences are:
    - freeware
    - to stop an attack as early as possible. T

    This is the reason why I prefer Sandboxing/Virtualisation (DefenseWall) above classical HIPS, like SSM or Antihook.

    Ad DSA (Dynamic Secruity Agent)
    According to this preference you can ask: why do you have such a 'weak'(only 2 plusses) choice, while there are also excellent freeware FW like Comodo or Jettico.
    The reason for this is that I Comodo for instance notices when a white listed application gets changed (e.g. dll implant), but it only warns when the changed application tries to connect to the internet. I think this is a pity, because the DLL-implant already has taken place. I have to go through a lot of effort to un-do this implant. When Comodo should warn me at the moment (f.i. Zapass) of implant taking place it would be my choice. Now it warns me that a thief is wanting to break out (in stead of preventing the thief to break in).
    Because I have a hardware (build-in) inbound firewall, I can live with the basic/primary TCP-inititate protection (no packe filtering) DSA offers. I also realise that DSA is not very termination 'hardened'. But I trust the strong defense of DefenseWall. Since DW is not a network/application firewall, the simple protection DSA offers complements DW. Since (to my knowledge) it is hard to find a freeware security ap with the same strong protection of DW.
    With this fact (first line of defense of DW being the strongest), I do not think has any use of stacking other applications behind DW, eating processing power.
    I have disabled the behavior elements of DSA (system and email anomoly feature), because I do not see the added value (in relation to CPU use). This is the reason I did not mention DSA at behavioral blocking.
    Although being a white list application DSA has a learining mode in which you can unselect the "Require user approval for each alert". this silences the learning period.

    DefenseWall
    When I select a security program I look at three aspects:
    a) strength of design architecture (theoretical protection strength)
    b) quality of implementation (does it work in practice)
    c) usability (is easy to configure,

    According this preference sequence it would be obviuos to use VMWare (OS and file system seperation) which offers the highest theoretical protection, or the nex best Sanboxie/BufferZone (file system seperation). The reason for not choosing VMWare (even advised by Ilya of DW to use when trying programs) is money and CPU capacity. The fact is that I rate the usability/seamless implementation of access restriction Sandboxes over the file seperation sandboxes is that my wife uses that PC a lot.

    So why did I choose DefenseWall in stead of GeSWall?
    GeSWall is freeware, Brian offers excellent support, GeSWall is based on policy management technology of XP (a design plus). The reason is simple, GesWall has 4 levels of intrusion protection, while DW has only two. Also GeSWall offers more granular control, but the down side is that the user has to make the correct decisions. Thus leaving the weakest link (myself) as the critical element.
    I think GeSwall is as strong a DefenseWall, only in the test of Gizmo comparing 8 sandboxes geswall failed the drive by test, while DW tested by the same author in a 6 HIPS review passed those test. DW out of the box with no pop-ups was the clear winner of the 6 HIPS review. Although the HIPS and the Sanbox test were not 1-on-1 comparible, the infection drive test was the same. So this configuration risk (of the weakest link - myself) was the reason to spend 30 bucks on DW. I admit thet the reason of choice was more a pshychological than a logical one (set and forget plus of DW).
    (on my play-time laptop with valuable info on it I use SSM free and GeSWall free). Because of the positive reviews and the ease of use I therefore rated DW 5 plusses.

    ANTIVIR
    In Av-comparatives Antivir scores well on tests, it the best free AV. I do need an e-mail AV, because my ADSL service providers does this for me. I realise that KAV with PDM (behavior) or NOD with active heuristics (also a behavior form of additional protection) are better choices, but the cost more.
    Antivie is a blacklist AV with limited heuristic capabilities that is why the four plusses are mentioned in that cell.

    Note 1
    I use static defense of SpaywareBlaster. It uses a blacklist of IP-adresses, tracking cookies and Active-X. I also use on demand phising of IE7 (my wife need IE because her music pay site requires active X).

    That's it any comments or replies are appreciated.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Forgotten to upload the pictureo_O
     

    Attached Files:

  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Kees1958,

    A now somewhat dated thread on Security that you use and its purpose, my own contribution at the time is here, tried to tackle similar ground although the functional breakout was not as explicit.

    I don't believe my underlying philosophy for typical users has changed a lot, but the offerings certainly have with the recent flood of various proactive applications. I didn't restrict myself to free, so my own contribution does not apply to the present thread, but the basic design ethic does, and it's really not a lot different from the one you propose.

    Blue
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Blue,

    You give me to much credits, it is not my model. It is a model used by either Gartner or Forrester (IT research/consultancy firms doing paid research for the industry and large companies). I should not have used the I manner of speech.

    The underlying phylosofy is that the setup should be setup from top to bottom (outside -> inside) and that the setup diffiiculty increases from left (black list) to right (white list) with community based knowledge sharing as an intelligent workaround (so novice users are assisted in making choices by the community). The third (ranking the plusses in the cells) evaluation criteria is design strength, quality of implementation and ease of use.

    By the way the freeware is not a criteria for this post, just something I prefere and therefore mentioned in my example and explanation.

    Thanks for the links.


    Regards
     
    Last edited: Nov 22, 2006
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Regardless of origin, it's a useful and nicely structured way to pull a planned implementation together.
    In some respects, potential strength also increases from left to right (i.e. going from blacklist/default allow to whitelist/default deny).

    I would tend to characterize a setup in which all levels are covered as quite secure, as long as the appropriate selections within each domain are made. Therein lies the rub for a casual user and a market opportunity for vendors of comprehensive security suites.

    Blue
     
  7. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    My pc :512 ram P4 1.8
    My object is to use free programs that do not use too much ram,and get along with each other.
    I use sandboxie sometimes.Iuse sandboxie for my kids MSN.
    I use ssm free after I boot.It is not in the auto start.
    Updating is easy antivir and cyberhawk update easily.

    I also use spyware blaster and spybot to immunate.
     

    Attached Files:

  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    First remark: You are right
    That is what I had forgotten to say. Strength increases from left to right.

    Second remark:
    That is the idea to cover all levels. Only for overlap the top down approach (with the exception of out bound is used) is used to decide which one to drop (the idea is to stop the threat as early as possible).
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Okay try to fill on which area's they protect (black list - behavior - whitelist). I think there is overlap between Sygate (process change protection), cyberhawk and SSM. When you have paid SSM dump CyberHawk and switch of process change detection of sygate, When you have all freewar you could also decide to dump CyberHawk, because white list protection is stronger than behavior protection. (CyberHawk is more an application level protection)
     
  10. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    I thought Cyberhawk was community based.Am I wrong? I am using all free versions so I am not sure about dumping Cyberhawk.Or can I use another software in place of cyberhawk ,sygate and ssm.If there is one please let me know.But with this configuration I am very happy and not a fly passed through my PC.Lol.
     
  11. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    This is the way I´m designing my future security setup. For now:

    -NAT Router: I´ve chosen an UTM Linux distro with the possibility of installing xBSD if I can understand it. Tnis have antispam, content filtering, intrusion detection(Snort) and a transparent proxy with antivirus scanning thanks to ClamAV, AVG and F-Prot(waiting with desire the next version)
    -Outbond: Jetico v1 with NTWrapper

    -Threat gate entry: GeSWall
    -Application level: AppDefend ? I don´t wanna a full blown classical HIPS like SSM or the new ProSecurity. May be this category is too much in my setup
    -Data level: Antivir or NOD 32 perhaps without IMON

    And:
    -On demand scanners: Ewido + SAS for now. May be I´ll dump both
    -"Passive" security: Script Defender(or Script Sentry ?) + SpywareBlaster + IE SpyAd
    -Firefox w/NoScript and another add-ons
    -Thunderbird
    -System hardening: Harden-It, BugOff, WWDC, services tweaks, etc

    -BACKUP SYSTEM :D
     
    Last edited: Nov 25, 2006
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I do not know Sygate very well (so I do not know whether it monitors process changes).

    To exclude redundancy: you could choose for CyberHawk or SSM. Because white list is stronger than behaviora (generally), I would choose for SSM.
    Yes CyberHawk is also CIPS
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes it is!
    Only Nod also has some behavioral features (active heuristics). So your defense is even better and not overlapping (strict behavior defense like in CyberHawk or PrevX differs from Heuristics)
     
  15. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    Sorry to ask so much questions,but I have been reading these forums for a long time and I have read most of your posts and learned many things,thank you for sharing your knowledge.
    Last question since sygate is old and DSA acts more like a firewall is it okay if I dump sygate and cyberhawk and use DSA.You are using DSA can you please tell me how much RAM it uses.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi CET,

    Tomorrow I am going to drive three old off-road motor bikes, one car and a small truck from Amsterdam to Dakar. It is a charity drive called Drive for Africa. The vehicles are sold in Dakar and Banjul. The money goes to local charity goals (like schools, waterpumps, etc.). So I won't be able to answer any questions for the next weeks.

    As for DSA. It uses about 17K. DSA is very easy to configure (when you unselect the notify user in the training stage and select all running processes/applications after start up once). I have only "e-mail, process and outbound application" protection enabled. As for the 'malware hardness' of this application I rate the free version of ProSecurity better (sounds stupid while I use DSA), because it offers application control, outbound TCP control on high/basic level (like DSA) and checks wheter process are modified (that is I think extra compared to DSA).

    It is just lazyness of me to use DSA in stead of PS. Reason for this is that the default of PS is rather wide (when you trust an application, it is allowed to do a lot). In the past have I have been using SSM-free (also has an option to trust all running processes). Nice thing of SSM is that it's learning mode is in 'paranoid' modus. This means after some training you will have the tightest protection of a whitelist ap. When you are sure that SSM works, you can disconnect the user interface in paranoid mode. In this way you won't be getting opo-ups (for me that is good, because my wife uses teh system and she default allows all, becaus she hates irritating pop-ups). Only pity is that the SSM-free does not check on outbound traffic being initiated (paid version does).

    All the whitelist aps mentioned above do not do packet filtering or some intelligent behavior analysis/blocking on traffic level (to protect you from flood/DoS/sync attacks, like good firewalls like Comodo seem to do).

    When you only want high-level traffic initiating protection DSA and PS are good for you. I think because we are sitting behind a hardware firewall it is sufficient (uncheck windows XP and save CPU resources). Because DSA has this basic TCP check windows XP recognises DSA as a firewall.

    When you have questions, try others like Blue Zanetti, IBK, Bellgamin, Sukaroff, Aigle, Interact, or Tommy, I like their input to this forum a lot.

    Regards Kees
     
    Last edited: Nov 24, 2006
  17. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    Thank you,from İZMİR Turkey.I wish you good luck with your charity drive.Many of the forum users are saying that their wifes are using the PC......so they do different combinations of software for them.I am a woman 43 yrs old and my ex husband did not know anything about computers(he owned a big company) so not all women or men are the same.I just wanted to point this out.
    :D
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,

    I might be a party-pooper (no table for me), but I'll write down what I think might be appropriate for home users.

    Windows

    Network: Commodo / Sygate or Sygate + Smoothwall

    Threat gate - as above, run p2p app as limited (DropMyRights or similar), disable autostart

    Application level - only for browser.

    Data level - none.

    I don't believe in blacklisting, whitelisting, community or bad behavior AI.

    As you see, there is little overlap, if any.


    Linux

    Network - Smoothwall (maybe with Snort) and/or iptables
    Threat gate - nothing really
    Application level - nothing really
    Data level - enabled by default (local user rights)

    Mrk
     
  19. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    u think its appropriate for home users to run Windows w/o antivirus?
     
  20. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Since many technically astute users run Windows from home...., the answer would have to be a qualified yes for a very small subpopulation...

    More detailed answer - if you have to ask, the answer is no. In general, answers that don't involve a prepackaged and basically self running AV and/or suite will elicit a rather puzzled look from most users. Since the range of experience and capabilities run the gamut here, the range of appropriate answer will as well. Casual users, those who use a PC as a tool to aid them in everyday life, in other words the majority of the installed user base, are advised to use an AV and/or a security suite or some sort.

    Blue
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,

    In my active online life, since 1999 or so, I have never witnessed a real-life situation anti-virus detecting / countering virus etc. I'm really wondering what people are doing to get them to shout. And this is mr. porn talking here.

    Relying on AV as the holy grail of security is ... false. You deny yourself the real power of control and invest it in a tool that is nothing more than a lookup table a few smart scripts. AV will not keep you safe. At best, it will give a user some sense of security - and probably keep him from trying to educate himself.

    AV can be nice. I use several AVs in several different setups. But not for the sake of protection against web threats.

    I do think average users should combine AVs with some other tools. The magic is knowing how to utilize them correctly. Not for scanning cracked files and then running them if they come clean. That's not what AVs are meant for.

    AVs are to be used to scan files that you TRUST. Not the ones you don't. The ones you don't - just don't run them. The ones you do might accidentally be infected - for instance, a CV from a friend or something. Those are the ones you should look after. Not something called winCracker2111.exe.

    Furthermore, the thread was about how we would individually setup a system. My setup does not apply to everyone, of course. Everyone and their choices.

    Mrk
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I have, but it is orders of magnitude less frequent than one might suppose reading on this site. A genuine threat? Once every few years or so.

    The implicit assumption here is that the user wishes to and will successfully educate themselves. Empirical evidence seems to be at odds with this outcome.

    Excellent point, and probably more important than I'd like to believe.

    True, point taken.

    Blue
     
  23. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    what tool do u rely on for protecting against web threats?
    would u mind explaining this logic more?
    that does make sense i guess, though not i practice i could perform.
    so the setup u mentioned is also your personal setup?
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Haha, your right. My wife has a masters in psychology. I'am not telling she is dumb, just not interested in technique. In Holland most women are aware of equal treatment. I for example am a business director, but I have to iron my own shirts and 8 out of 10 times I am doing the cooking at home, because my wife is later at home than I am. We share the cleaning of the house.

    So although I play rugby, was 2nd at Tea-kwan-do in the Netherlands, drive bikes. I have a boss at home, she is addressed with mrs.

    ;)
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,

    WSFuser, to answer your questions:

    Web threats:

    Firefox / Noscript will cover 99.9% of all web threats.

    I think other network based activies do not fall directly under web threats, because anything done on the web is a web threat. Nevertheless, P2P and IM apps should be run as restricted. The choice of the application is also crucial.

    Of course, a firewall is there as the first line of defense. Make your pick.

    AV:

    Troy fell because they trusted the horse and let it in. You will be extra careful when you run a file called wincrack.exe, right? But real troubles occur when people do not expect them. You get a file from a friend called story.doc. This file is infected. Not on purpose. It's just your friend has an infection that appends a bit of code to any document he writes. He sends you a story so you can check his spelling. Because this file comes from a friend, you'll normally assume it's ok, right?

    This is when and where you must be extra careful.

    Example:

    Three years ago, before I got married, my girlfriend at the time (now upgraded to wife) lived in the university dorms. She wanted to watch a movie, but she didn't have a codec. So she asked a friend at the dorms to install a codec for her. I was not there at the moment to assist.

    What happened?

    The friend installed some **** that came bundled with VX2.

    My point: A person you trusted did inadvertent damage. He was only trying to help. Even he did not know that he was using that crap.

    BTW, here's the best way to test "suspect" files / software:

    Install Linux.
    Install VMware Server.
    Install Windows as guest.
    Install your everyday applications.
    Now test your suspected files and see the operating system react.
    If everything works, cool. If not, revert to a snapsot and ditch the perp.

    Using imaging or shadow software can also work for people who do not wish to meddle with linux. Free solutions include ShadowSurfer and DriveImageXML.

    Malware aside, this is the right way to test programs before you assimilate them into your borg. If you can afford an extra guiney pig machine, even better.

    Mentioned setups:

    I have several computers, all of which serve different purposes, so a setup would be inaccurate. I have several setups that I like. But I also have several setups that I like less, but I run them because I like to test stuff.

    I also believe in simplicity. Computers are just ... computers. People turn the online experience into some sort of war. Totally out of perspective. Just dumb stupid machines. Fifteen years ago, we used to read books and never bother about "threats".

    One of the main reasons why we at Wilders talk about security so much is because we LOVE it. We love to feel adventurous and install stuff. In the process, we lose the sense of reality.

    This rant aside, I do have computers that are equipped with only a firewall. I even run machines without a firewall. I have also machines that run a firewall and anti-virus and sit behind a custom-built router.

    Think about it. I'm looking at last 7 years. During which I did quite a lot of file sharing, browsing the "adult" sites and all sorts of fun. I have not stumbled upon any malware in the way. It might be there. But I don't bother it, and it don't bother me. We has an understanding.

    Besides, using anti-this and anti-that to clean and prevent infections is really the wrong way of doing it. What is simpler than booting off a linux CD and inspecting the partitions when they are dormant?

    I have no intention of provoking anyone. I'm not braver or smarter than others and I don't know any special secrets. It's just that I treat a computer as a replacable piece of machinery. They are so easily replacable. After all, we do it every 3-4 years!

    The most important thing is the personal data - here, every precaution should be taken. Multiple copies on CD / DVD, printed material, whatever. But apart from that?

    Mrk
     
Thread Status:
Not open for further replies.