My Final Setup - Any Conflicts? Plus Hosts File Question

Discussion in 'other anti-malware software' started by idbit, Dec 19, 2008.

Thread Status:
Not open for further replies.
  1. idbit

    idbit Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    43
    Location:
    Florida
    After much deliberation and research, I've arrived at a final security setup. Will there be any conflicts or issues? I should add my equipment info:

    • Operating System: XP SP3
    • CPU: Pentium 4 - 2.4Ghz - slow by today's standards, but not too bad
    • Memory: 2GB DDR
    • Habits: Very heavy internet use. Home office. Lots of password protected sites.
    Here's what I'm thinking for real-time protection:

    • NAT Router
    • Firefox 3 with NoScript Plugin
    • Avira Premium AV
    • Online Armor Paid
    • Mamutu
    • KeyScrambler
    • Sandboxie
    • Spybot S&E - to lock Host File, IE Start Page, and IE Control Panel
    • SpywareBlaster - ActiveX, Cookie, and Restricted Sites protection
    This is alot! I have to emphasize that I spend alot of time online with sensitive information, so that's why the extra HIPS with Mamutu. I read here that it doesn't conflict with OA. But then you add Avira, KeyScrambler, and Sandboxie… I don't know.

    I noticed that Online Armor has "Trusted Sites" and "Untrusted Sites" features. I don't know if it hooks into IE's Trusted Sites and Restricted Sites. But if it does, then I'm going to have I think four softwares all hooking into IE's Trusted Sites and Restricted Sites: IE itself, Firefox 3, SpywareBlaster, and possibly Online Armor. Any thoughts on this?

    Are any others using Spybot to lock down their Hosts File? Are there other ways of doing this?

    Thanks!
    IB
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    See above OA will deal with web site protection (so use spyware blaster only for Active X and Cookies).

    Set your host file read only.


    Iron Portable (= Google chrome) is way faster than FF and has internal sandbox). Just set it to not remember passwords (something you should never do with browsers)
     
  3. idbit

    idbit Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    43
    Location:
    Florida
    Thanks Kees! If Iron Portable has internal sandbox, that's great because I was kind of iffy about the whole sandbox idea anyway. (That's why I was beefing up on the HIPS.) I didn't mention that I run TredoSoft's MultipleIE's: http://tredosoft.com/Multiple_IE. It allows me to run IE6 in addition to IE7. It's very flaky in operation. IE6 and IE7 don't like interacting and sharing with each other! But that's not its purpose. I only use it to view how a site will look in IE6. Plus I will be running FF2 and FF3 simultaneously - along with Opera, Safari, IE6, and IE7. So it's browser hell (or heaven I suppose) on my pc. I just don't know how Sandboxie would deal with all that. That's why I was going to install all the above first and see how it goes for a month - then trial Sandboxie.

    I'm looking into Iron Portable now. Only one possible deal breaker. I'm really in love with the DownloadHelper plugin for Firefox. It lets you save Youtube and other similar embedded videos onto your hard drive. Does Iron Portable have something similar? I know it sounds silly, but I really can't do without that. I would rather compromise a bit on the security instead.

    You know what I noticed too? I was able to change my hosts file manually by just unchecking "Read-Only" in the file properties - while Spybot had it protected. Wouldn't a malware be able to do the same thing anyway?

    Thanks again Kees. It looks like you have alot of respect around here. So this really helps.
     
    Last edited: Dec 20, 2008
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You are welcome,

    In OA you can run all your internet facing software as run safer (meaning running with limited rights).

    When you want a real light setup, consider adding another user with limited rights and try SURUN. Search post for TLU and Mrkvonic (https://www.wilderssecurity.com/showthread.php?t=227600&highlight=Surun). It really is a good tutorial on how to run without admin rights in a practical way.

    Only do not add an admin account, add a limited user account and then add it to Surun. Looking at your bit dated PC, you could save some money and enjoy its CPU capacity.

    Simply invest in reading the Surun tutorial, add ThreatFire free (add protect host file and outbound protection custom rules) and you have decent security for free (use A2 malware free v4 and SAS free for on demand scans). You would be only running TF as security (plus limited rights user), so you keep your CPU cycles for your security aps (and off course Key Scrambler free when entering passwords). Spyware blaster does not eat CPU cycles so keep that also (for your other browsers).

    Cheers Kees
     
    Last edited: Dec 19, 2008
  5. DarkButterfly

    DarkButterfly Registered Member

    Joined:
    Jul 18, 2008
    Posts:
    82
    Spybot, as you already stated, won't protect the HOSTS file, at all. Setting the HOSTS file as read-only, won't either.

    I also found out, that if you configure your HOSTS file to something like 127.0.0.1 baddomain.com bad_domain.org one_more_bad_domain.net ... up to 9 entries, it will make Spybot go mad! Try it. :) ... Or not.

    How to protect it? I'm not sure, but I think that Online Armor protects it? No idea, as I do not use it.

    One alternative could be to use Hostsman to manage your hosts file, which will offer a better protection than Spybot. It will allow you to see if any hijacked entries, disabled ones, modified. Will also allow to change all your entries from 127.0.0.1 to 0.0.0.0 and from 0.0.0.0 to 127.0.0.1, or any other format you wish.

    Or you could try ThreatFire, as suggested.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    ZoneAlarmPro has a Lock hosts file feature under Advanced Settings in the Firewall section.
     

    Attached Files:

  8. idbit

    idbit Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    43
    Location:
    Florida
    Yet another wrinkle. :) Scanning through that link, it looks like it's working for people. I'll check it out. If it's easy enough to implement... I'm trying to come up with an arangement that I can recommend to friends and people that I help out. That's one reason I was opting for OA instead of Malware Defender. Trying to stay a little within the mainstream. I guess there's no reason I couldn't use SURUN AND Online Armor - just for my system. I'm really not starved for speed. I keep a clean computer. It looks like some people are bagging their security apps and just running SURUN.

    I'll check that, maybe see what OA does first.

    Thanks for the replies!
     
  9. idbit

    idbit Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    43
    Location:
    Florida
    Wow, I'm seeing the light! The more I look into Limited Accounts, the more I like the idea. It seems like this is the ultimate sandbox. I mean isn't a sandbox just a different way of running a limited acccount? Or at least the end result is the same - just a different way of getting there? The lazy way. :p I think the "proper" way to achieve this is through Limited Accounts and Software Restriction Policies. We should have been setting XP up like this since the beginning. Sure it's more work, but I'm sure it will feel satisfying to tackle this issue. I guess there are limitations that XP presents. But I think I have more options with XP Pro. I'm going to experiment with just a basic limited account and a Software Restriction Policy - and see where that takes me. These links here do a good job of explaining setting up a Limited Account: http://www.mechbgon.com/build/Limited.html and a Software Restriction Policy: http://www.mechbgon.com/srp/.

    What I also learned is that the Limited Account by no means replaces your AV and HIPS software. Just like with a sandbox, you're still vulnerable to real-time type attacks to stuff in MyDocuments and Favorites (and probably other places). Sure your odds now are much, much lower of an attack. But still, you never know where your attack is going to come from. So I believe you still need to be prepared on each front.

    One thing I'm not sure about, though, is the outbound firewall protection. When a malware "phones home", does it need access to system files outside of MyDocuments or Favorites? Or can it phone home completely within its own little network it setup within MyDocuments or Favorites? In other words, does the limted account remove the need to have a software firewall?

    Okay, I feel like I'm making real headway. Thanks for showing me the light! I think I said this once before, but this time I really mean it! :)
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No, when running LUA an relatively easy firewall like OA will give you a lot of protection. Somethings are prohibited in LUA (installing a driver some regsitry hives and access to windows an dprograms directory with create intend), others like dll injection not.

    LUA will skip 80% of the horror stories about PC security.

    Try a few setups like OA + Avira or PCToolsFW + DriveSentry when running LUA (and off course IRON webbrowser)
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I don't use it, but I have read that WinPatrol will allow you to lock your HOSTS file and will monitor changes.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    also zone alarm firewall lock down the host file too;)
     
  13. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Duly noted five posts up. ;)
     
  14. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    OA protects your HOST files from every changes in that file.
     
  15. idbit

    idbit Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    43
    Location:
    Florida
    Thanks for the replies. I haven't had the chance to experiment with LUA's and SRP's yet. Since they don't completely take the place of AV, HIPS, and firewall, it would make more sense to get those nailed down first. I'm going to experiment. I had already paid for Avira AV. I read so many great things about Mamutu that I couldn't resist buying it last Friday - while it was still on sale for $8.69. I still want to try Online Armor. So real-time protection is going to look like this for now:

    • NAT Router
    • Firefox 3 with NoScript Plugin
    • Avira Premium AV
    • Online Armor Paid
    • Mamutu
    • KeyScrambler
    • SpywareBlaster - ActiveX and Cookie Protection
    I know this is overkill. But I've never used a HIPS program or software firewall before. So this will give me the chance to experiment with all these great programs I've been only reading about for the past two weeks. Then I can figure out what I like about each one - and utlimately what I can recommend to friends.

    Once I have my security apps in place, then I'll work with the LUA's and SRP's. Like I said before, that looks like the ultimate sandbox - but working within Windows itself, rather than adding new software. I'm sure it's not as simple as I made it sound earlier. SURUN wouldn't be needed if it was. But I'm still going to experiment from the ground up. Start by setting up a basic LUA and SRP and see for myself what limitations are there.

    I'm sure that Online Armor's host file protection will be sufficient. If not... if I can still go into file properties and change it to "Read-Only", without going thru OA first, then I just won't worry about it. If something gets that far anyway...

    Thanks again!
    IB
     
Loading...
Thread Status:
Not open for further replies.