light whitelist application - any good suggestions

Discussion in 'other anti-malware software' started by ravnen, Mar 15, 2010.

Thread Status:
Not open for further replies.
  1. ravnen

    ravnen Registered Member

    Joined:
    Mar 2, 2009
    Posts:
    17
    Hello Wilders

    Im looking for a light Whitelist standalone application for the average user (prevention strategy).
    By reading Rmus excellent analyses and comments I really think this is the future.

    I know applications like ThreatFire - Online Armor - Geswall - Comodo - DefenseWall etc.
    But for the average user I find them too complicated (HIPS learning mode + firewall prompt)

    I also heard about the upcomming BLADE. That could be a good candidate. But I have to test and evaulate it first.

    Then there is Anti-Executable from Faronics, It's really light and easy.
    But some people don't want to pay that kind of money for a small product like this. Also it seems that Faronics is now aiming their product for the enterprise market

    When I advice people and other security person's about the strength of LUA/SRP, they just don't get it or tells me it to complicated.
    Also SRP and Applocker are not in all version's of Windows.

    We are all talking about a simple éffective prevention strategy, but to find an application to do the job is quite hard.
    Do you have other good approaches to a simple whitlist prevention strategy, please let me know.

    Thanks,

    /Jesper
     
    Last edited: Mar 15, 2010
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Have you considered setting up LUA/SRP as explained at http://www.mechbgon.com/srp/?

    Also, have you considered Pretty Good Security?
     
  3. ravnen

    ravnen Registered Member

    Joined:
    Mar 2, 2009
    Posts:
    17
    Thanks for your feedback.

    The link's you point to, are great sources and I have used mechbgon guide many times.
    It's also nice that Sully made a great project like PGS.

    LUA/SRP can be an easy setup when you sit in front of the user and the laptop (ex. family, friends, neighbor).
    The problem is when you have to advice/guide the user in a newsgroup,forum....

    Follow the steps below:

    Create a new user profile with admin right.
    Make your own account standard user.
    login with admin account
    Remove inherit permissions from program files and system....etc (ACL).
    Setup SRP (deny all policy) - logout
    Login with standard account
    Test the setup

    Somewhere in the above process the user will say to me "STOP...are you mentally ill".

    Don't get me wrong, to me it's one of the best and secure setup, but for the average user, it can be really hard to understand.
    That's why Im looking for a simple "setup and forget" whitelist application that can protect them against drive-by exploit/USB/Mail/DVD.

    Some other simple freeware alternative would be nice, we really need it today.

    Thanks,

    /Jesper
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Try SuRun, while not a whitelister per se, it will make your account limited, and you can elevate privileges when needed, so you get an automatic whitelisting approach for many undesired changes, whether triggered by you or else.
    Mrk
     
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am wondering, how can you tell someone to use a whitelist tool, when they don't fully understand what is going on anyway? I have the same issues with those I support. It seems to boil down to some very easy situations:

    1. the persons(s) are inclined to learn, so you walk them through your security scheme, explaining what is happening. If they are interested, they grow from there.

    2. the person(s) are not inclined to learn, they just want protection and security. Whether they are admin or user, they don't want to understand what is happening. I suggest making them a user, and as Mrkvonic says, SuRun/UAC type approach. It does not matter IMHO at this point, as the user is going to give admin approval to whatever they want to run.

    In my mind these types of situations have no real clear-cut solution. Without the interest to understand that some things are not allowed and more importantly, why they aren't allowed and how to circumvent the protection when needed, I don't know how they are supposed to have any security. It is like putting a HIPS/Firewall on a novices machine, they just click yes/allow and move on.

    Sandboxie I have found is a good tool for these types, along with LUA mode. For some reason explaining that everything is "locked inside the sandbox" and that "you have to get it out to keep it" type thing is fairly well accepted.

    I wish you luck, it is no easy task to teach technical details or use technical tools with someone who does not want to know about the technicalities.

    Sul.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. ravnen

    ravnen Registered Member

    Joined:
    Mar 2, 2009
    Posts:
    17
    Hi

    Thanks for all your great comment and suggestion.
    I agree with you, it can be hard to advice some newcomers to look into prevention instead of detection.
    Im just so sick and tired of the whole anti-malware industry as we see it today.

    - Bigger security suites, with only 300 pages PDF manuals.
    - Constantly deployment of Beta/upgrades/updates features. Always keeps the poor user busy.
    - Constantly malware/performance/crash/bugs/bsod issues in all the support forum.
    - Cloud AV/services where some of the pitfall could be DDoS attack, infection in the cloud, availability and privacy.
    - Scary headlines all over, in the press/media, security forums/blogs.
    - Big buisness. If they did prevention, they fear loss of profit.

    Does the above give the end users a better understanding about basic attack vectors?.
    To me, that is the main problem. Nobody in the press/media gives nearly any advice about simple prevention.
    I belive many people today have the skills but they need 5-10 minutes education about the subject "prevention vs detection".
    That belive keeps me going :).

    /Jesper
     
  8. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    If, as you say, you're talking about the average/newcomer user, I'd go for Returnil Free (as flagged by MrBrian) and set it to "Trust programs from real disk only".

    I use it - it's simple, unobtrusive, makes you think that little bit longer about what you allow to run, and (hopefully) alerts you to any non-requested install, though I couldn't comment on whether it's absolutely watertight......

    philby
     
    Last edited: Mar 18, 2010
  9. ravnen

    ravnen Registered Member

    Joined:
    Mar 2, 2009
    Posts:
    17
    Hi philby

    Thanks for the tip. Do you know if I can trim down features in Returnil and only use the Anti-executable function.

    /Jesper
     
  10. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    System Safe needs to be on, set to either save or drop changes, but that's the only requirement.

    philby
     
  11. ravnen

    ravnen Registered Member

    Joined:
    Mar 2, 2009
    Posts:
    17
    Thanks, I will give it a try. Have a nice weekend.

    /Jesper
     
Loading...
Thread Status:
Not open for further replies.