Opinions Gentlemen & Experts

I'm locked solid on both EQS & Real-Tine Defender (free) as well as Cyberhawk, but anyone have an opinion if i installed Avira AV in with this combination?

Is it your experience or opinion that i might lose some performance by doing this or are you confident adding Avira won't interfere with either this HIPS or Behavioral Blocker?

I normally don't even bother with AV's thanks to Returnil, HIPS, SandboxIE, but am curious is this would cross the line with this present setup and maybe cause some friction in between as they work together.

Thanks as always, EASTER

 

Well...My Avira Premium:

Avguard.exe uses about 10K of memory
Avwebguard.exe uses about 4K of memory.

I think having Avira in your setup would be nice. It should complement all your other programs without interfering. If you do have a problem though report it to Avira and they usually have a patch for it in a few hours.

 

It should be useful telling the name of the malware that your HIPS -behaviour blocker stopped .
I used it myself(the free version) ,and i don't see how it could interfer with the rest of your programs.It has minimal system impact.I dropped it becouse i i'm confident in my HIPS-sandbox configuration .

 

if you have you system lock solid,you dont need an antivirus app,because you are already cover with your hips apps
note:for scaning once in a while it will be a good idea to have one just to make sure all it is ok

 

do you really need all that stuff? youve got sandboxie and a frozen fdisr snapshot, as well as superantispyware and mwbam for on demand. i think your setup is secure as-is.

 

Dont forget that some like to play with all this stuff,for them its just like playing with toys.The high priest of the clan is........you guess mr. Easter himself. lol

 

Yes i have FD-ISR but pls keep this in mind, only on a single drive, not this one. On the other hand, so far just running either RTD or EQS w/Cyberhawk is proven a very formidable defense, BUT, viruses are not always confined by these apps alone, and reason for my asking your own suggestions whether it would be prudent to just add Avira as a another safety factor.

Thannks for all the suggestions and comments. Very worthy and thoughtful insights form you all.

EASTER

 

I can't comment specifically on EQS or the other apps you mentioned, but I have run into conflicts with AntiVir/Avira and SSM. When AntiVir added that rootkit module to their AV, it caused big problems with SSM. If I remember right, it was the first update to that rootkit module that caused the problem. Since the update was installed automatically during the late hours, the first indication of a problem was a completely locked up PC in the morning.

When more than one app hooks the kernel and one of them is updated automatically, conflicts can show up with no warning. If you decide to go this route, I'd disable the auto-updating and have an easy means of restoring to the previous state handy.

Considering the defenses you already have, why would you want to add an AV? Assuming it's properly configured, the HIPS is more than sufficient protection. How much would an installed AV contribute to your setup that couldn't be provided by online scanners? IMO, you'd see very little improvement in protection if any at all. About the only thing I see you getting is an increased usage of processor power, disk space, and memory, plus an increased risk of kernel level conflicts.

 

Thanks

Easy answer. I jockey several different hard drives and i'm looking for the absolute impenetratable combo that can stand against the absolute worse malware/viruses a maker might devise, and rest in that confidence that i have the perfect enough combination to ward off even the most fiercest of attack on windows XP Pro.

I'm grateful for all your suggestions.

I want a set up without sandboxIE or for that matter a Returnil to have to fill in against such a potential forced intrusion.

SandboxIE and Returnil are no-brainers of course.

EASTER

EASTER

 

I just want to say during my experience when I had Avira installed along with EQS and sandboxie,from drive by downloads is that when ever I downloaded trojans which of course ended up trapped inside Sandboxie.

anyway my point is Avira was quick at detecting the trojans trapped inside sandboxie but it always required answering a number of EQS popups to allow Avira to go and intercept and quaranteen them., EQS was allways preventing Avira from doing its job properly.

 

A mix and match dilemna no doubt. Thanks so much for your results on that combination. It makes perfect sense because HIPS are strickly Pro-Active and stop cold file entries BEFORE they get a chance to land to their desired/designed positions in order to wreak their habit.

From what i've read so far, my simple solution which impliments pro-active HIPS is likely far ahead of any potential intrusion curve/entry compared to an AFTER-THE-FACT intrusion.

Any other results or comparisons and opinions to the contrary are very welcome as valids points either for or against adding an AV to this particular strategy.

EASTER

 

If your going to use Avira another way which would probably better is to try the Premium it has a trial, with Avira Premium it acts like a Proxy and scans all incoming traffic on port 80 from, Hence Preventing Trojans and viruses etc from even entering your pc in Sandboxie in the "First Place"

 

I assume that you just need to properly configure your HIPS, because I had exactly the same situation with Defense+ module of Comodo Personal Firewall.

As for Avira itself - I must admit that after switching to it many months ago from NOD32 and I am very happy with that decision. It has virtually no impact on my system in the terms of stability and performance (in contrast NOD32 v3x had some strange disk access behavior) , while still being useful (in my opinion of course, however based on the fact that a few times it detected malware that MBAM or SAS could not find... and I am sure it wasn't an FP) addition to the layered security concept.

Best Regards,
Swordfish

 

I'm a strong supporter of HIPS software - and router firewall naturally - as the main element in pc security. But I strong believe also in multi-layered defense: two different sw, as an HIPS and an av are - give more chance to block a malware.

 

I also use a layered security package, but a different set of layers. For me, those layers are an internet firewall, HIPS, and web content filtering, aka Kerio 2.1.5, SSM, and Proxomitron. ATM, the only OS I have that has a resident AV installed on it is a virtual copy of 2K, like that really needs one.

In order for an AV to have a chance of detecting that malicious code, it would have to already be on your system, either in memory or in some temp folder, browser cache, preselected download folder, etc. I also remember seeing something about malicious code that exploits the AVs methods of parsing files in order to attack them. On a system that's already locked down with HIPS, I'd question whether you're creating a possible attack vector that wouldn't exist otherwise, given the permissions an AV needs in order to function normally. IMO, it would be more secure to block all permissions for these folders with HIPS rules and to move them to non-standard locations malicious code wouldn't expect to be run from, like a virtual folder or RAM drive.