PrevX Edge, DefenseWall - Easy for general public?

After having read what seems like 5,000 posts I have learned, I hope, a great deal. First, there is no best solution, but there are a ton of very good solutions. Which is wonderful. Second, there are more ways to get infected than one can possibly imagine. Third, there is a trade off between protection and ease of use (isn't there always?).

It is sometimes hard to see if the detailed debates about one configuration versus another are big differences or minor. The problem is finding an effective solution for my purposes, and it is here I hope someone can check out my logic and choices to see if they are "very good" versus "zombie bait".

I would like a single solution to maintain for all my environments, so right there I am on shaky ground. Worse yet I need a solution that is NOT intrusive, it must be usable by your standard office working (think dental office), my lady and hopefully useful to me. And I am not keen on maintaining a set of custom rules for everyone either --- in this rare case I am pretty much forced into "average user" mode.

Average site configuration

• Linux Shorewall in most installations as a firewall, or Windows FW
• Hardware RAID1 or UnRaid depending on file server needs
• JungleDisk (JD) backups for all data daily
• Windows XP (usually PRO) workstations
• Running with full admin : yes, evil, bad, nasty and NOTHING I can do about due to some vertical market software required. This will change as sites migrate to Windows 7, but typically a site keeps its configuration until a new system is needed which is currently 5 years on average.
• These are small offices (3) so free for non-commercial use licenses do not apply.
• Front desk systems are Internet connected, but backroom systems are NOT usually on the Internet except for getting Windows updates occasionally. Helps with HIPPA compliance and internal office protocol.
• Both IE and FireFox are in use
• Updates appear to be applied quite regularly, training works!
• Internally I use UnRaid, JungleDisk and testing ShadowProtect continuous increments.

I have used Nod32 for awhile, and it works well enough. but some recent intrusions have brought to light the need for a layered approach. Price is a bit of an issue, but a total outlay of $30-$50 or so per computer is acceptable. As Nod32 license expire I will suggest and help install the new defenses. Cheaper, means less deployment resistance. My current choice being tested is this combination:

• PrevX Edge (is this "good enough" by itself?)
• DefenseWall (just started testing), possibly Returnil - still researching the differences.
• Winpatrol Plus on my internal system - not scheduled for others at this time.

The above are based on forum posts, signature lines (funny way to count, but popular at least means help is available) and ease of use.

I want the simplest, but no simpler, solution. I considered Sandboxie but I have concerns about getting effective user compliance. I prefer an automatic solution.

All systems, expect mine, will hardly (hmmm, they SHOULD hardly that is) every download new software. But they do surf, and apply software updates. And of course write documents and such, although those usually get saved to the Linux file servers I have installed.

So, do I look to be "mostly covered" or "mostly bait"?

Thanks

 

Yep, it's, mostly, constant definitions. That's why it's very important to find a "golden balance" between security tool strength and its everyday usability.

 

Doing more research and I am questioning the ease of use of DefenseWall? Not for me or another experienced user, but for less experienced. If I understand it properly, DefenseWall isolates all changes to a sandbox. But that seems to make it harder to apply FireFox, Thunderbird, and other updates that night be sent down. And that will cause a ton of confusion.

Is this correct? If so maybe a sandbox is just a tad too advanced for my average user case. Although I can see the advantages of it for me. I used to use Altiris Software Virtualization but found it difficult to maintain snapshots. It seems more adept at packing things than isolating them in a convenient manner.

Is there another, simpler (even if less effective) approach?

 

At this stage ( about a year on the forums and still learning ) , I think the most important thing is keeping software patched.
So for your setup , i'd go with prevx , ( free i think ) TF , and secunia for patch scanning.
and a good imaging system , shadow defender , if you haven't got one already.
and whatever av & firewall you prefer.

 

Thanks Joeythedude for the heads up on Secunia. Tried the personal version and found my ActiveX Flash was out of date (no surprise, I am hardly ever in IE). I need to find out what a commercial license costs, I am annoyed and worried when the pricing is "call us".

I have tried other patch solutions a few years ago and found them horrible, apparently a bad enough experience I purged the idea from my memory . Time to use Wilders to fix that oversight.

 

I'm sorry, what is "TF"? I need to make an acronym guide.

 

DefenseWall is set and forget. One of the easiest security programs to use. Highly recommended for average/novice users and support is superb.

Threatfire; an excellent (free) behaviour blocker.

 

Don't ThreatFire and DefenseWall overlap quite a bit? At least in purpose if not in execution.

Isn't PrevX Edge and Threatfire also an overlap? PrevX Edge seems rather hard to get a grip on. I am fine with it not fitting into a box per say, but it does make it harder to see how it works with other tools.

DefenseWall is spoken of so highly it seems too good to be true.

• Zero maintenance
• Non intrusive
• Easy for beginners
• Little or no system impact
• Keeps out malware and viruses

What's it downside? Any?

I feel a long, complex blog post on my trials and tribulations coming on. 4 pages of notes and still counting ...

 

The downside is you'll have to be able to manage the sandboxing. If you install a lot of programs - like me - it might not be for you. If you simply browse dangerous web-pages when using your web-browser, this or maybe SandboxIE is definitely a no-brainer.

 

Not exactly. If you mean file system and registry changes, they all are under policy restrictions.

Untrusted applications have to be updated as trusted.

 

Thanks Ilya, I was afraid of the update issue. For my use DefenseWall sounds grand. But for others I have serious concerns I will be getting far to many calls and doing to many remote sessions to justify that extra layer of protection.

 

It can be unstable on some systems so Ilya may have to provide new drivers. It can suck up a lot of CPU time but unless you have very old machines this should not be a problem.

You can take a look at some videos;

DefenseWall
Prevx Edge
Threatfire

 

OK, watched videos, again. Reread threads on behavior blocking (BB) and HIPS (Host intrusion protection) and AV (Antivirus). But products are blurring the line, as they probably should, between these groups.

It seems there are a few common layers of protection:

* Firewall in (I am covered there)
* Firewall out (just Windows FW)
* Prevention (BB, HIPS, on-demand AV)
* Removal (AV)

A third area is virtualization, which for now I am leaving only as an option for my advanced users.

So if the above is a useful simplification it appears the following (with the exception of DefenseWall) are pretty good all on their own. In theory at least.

* PrevX : Prevention (BB?), Removal (AV)?
* ThreatFire: Prevention (BB), Removal (AV)?
* DriveSentry: Prevention (HIPS), Removal (AV)?
* DefenseWall: Prevention (HIPS)
* Outpost Firewall Pro Firewall, Prevention(HIPS), Removal (AV)?

It seems that each of these is a bit of an overlap with the other. Assuming of course I know the difference between HIPS and BB, which I don't seem to.

Leaving out HIPS for now, since the general consensus is that they are a bit more suited for advanced users than my target base. That leaves the following, both of which appear to overlap each other quite a bit.

* PrevX
* ThreatFire
* And yes, I know there are others. But I gotta start narrowing this down someday and make a decision....

Combined with patch control (Secunia) and Windows Firewall for outbound. Maybe add Sandboxie or DefenseWall for my advanced users who have home systems and probably to my internal systems. So my new end-user configuration is:

* PrevX and Windows Firewall (Linux FW for inbound)
* Optional: DefenseWall/Sandboxie (still testing) for advanced users
* Windows Firewall

Did I go horribly wrong somewhere? If I understand it right PrevX AV has me covered. The downside is that without an Internet connection I am vulnerable to Flash/DVD/CD threats? And for that DefenseWall should be fine, since only my advanced users will be using external devices without an Internet connection.

And of course, daily backups with multiple increments stored off-site.

 

one thing i can testify of all programs that i tried in the past 5 years or more the only 2 that really passed all my malware testing with flying colors are DefenseWall and MalWare Defender
and recently one of my computers was attack by malware and out of all security install which all fail to detect the only one and i mean it the one who saved my bacon was DefenseWall so i highlly recomend to all my friends and new wilder's forum new comers

 

@robbcrg

Some further comments for your information gathering. I run a small engineering business (25 folks) and, by default, get the "privilege" of having to deal with much of our computing infrastructure. We utilize specialty engineering analysis software that does run into issues with various of the security software options and that makes significant (huge) demands on individual system and local network performance. We have similar ease of use (i.e. user) issues as to those you have mentioned.

Our current security arrangement is Prevx and Windows Firewall on our desktop systems - nothing else. Typical AV and AS software has proven to affect HD access times and processor cycles to the extent that the performance of the software for which we use a computer for in the first place had become notably reduced. Thus, we place a high priority on minimal footprint, minimal impact, minimal user intervention, and minimal user annoyance. We would love to add Threatfire...however, it has demonstrated some odd performance issues with file access times for some of our specialty software - that issue is being addressed by PCTools and we will likely add TF when its interaction issues are resolved.

We have seen "no" threats breach our systems as "yet" - although, we are behind a Watchguard Firebox hardware firewall and antivirus software on our MS Exchange server. This approach has permitted our engineers to benefit from improved desktop performance and maintained a "reasonable" modicum of protection...noting that our users are also somewhat "sensitized" to security issues as well.

So, FWIW, Prevx and Windows Firewall alone...and adding Threatfire when the perfomance issues are resolved with respect to our software.

galileo

 

Thanks Galileo, Nice to hear from someone with a similar environment.

I run ClamAV on my Linux mail servers, which most of my clients use. It seems to catch stuff (virus and Phishing) according to the logs and quarantine folders.

From my understanding PrevX and Threatfire are very similar types of protection. If true, why do you want to run both?

 

I would really like to use either of those, but in my users environment I would cause so much confusion it would be the end of my sanity I am afraid. For my local environment, I am testing DefenseWall and Sandboxie. Not sure which I prefer just yet. Many use both, but that is a bit more than i want to deal with for now. I like Sandboxie because I can easily trigger it for just the times I am venturing into the unknown. Having ShadowProtect performing increments every 15 minutes provides some margin of safety.

Can you explain how does MalWare Defender operate the differs from DefenseWall or Sandboxie?

Thanks

 

The best combo, and it is all I use for now, is Prevx 3 and Sandboxie. To me that is about as simple and secure as you can get. Sorry Ilya, but.............

Defensewall has been tested from one end of the earth to the other and it is rock solid. Prevx 3 has not. So as time goes by and 3.0 is tested, failing would knock it quickly from most users choice. But for now, it has to be Prevx and Sandboxie.

PS. Sandboxie latest version sucks with IE8. It wont terminate after you exit your browser. Sorry Tzuk but it is true. But 3.34 is flawless for now.

 

Sandboxie is starting to seem like a nice idea for me and my advanced users. I am still trying to nail the differences between these. I am trying to summarize the main differences base don forum posts.

DefenseWall : An always on application protector. For in-program updates they most be made trusted which complicates things a little. For example: Firefox make trusted, update, make untrusted. Support is know to be stellar. More complex to use for beginners than Sandboxie, but others all the time protection. Configuration is also harder just because it is always-on. But it offers more protection (always on) and once a user grows comfortable with it seems easy enough.

Sandboxie : On-demand, single application protection. Easy flush. A great way to enter dangerous waters on-demand. For normal updates and such just run the normal application. Easier for beginner users, but the risk is they do not run applications via Sandboxie (bury the normal icon deep in a menu?).

Malware Defender : Still not sure about how this differs from the others. Seems most like DefenseWall.

* All seem to be a bit of pain if testing lots of different programs. For that a roll-back/image seems a much better/easier solution. At least to get initial impressions, benchmarks, conflicts, etc.

I keep going back and forth. Any comments from others that use these which ones they have the LEAST effort supporting casual users. As in as little to 0 as possible. Imagine you have say 25 remote users and lack any kind of software update push technology,

I think these are for the more advanced user, or maybe a home user that is willing to tinker (those I do have to support).

 

With Sandboxie you can run more than one app sandboxed. With the paid version you can make it so that any program you want to run is run sandboxed. Also, with installers you can right click them and select run sandboxed and anything that happens is contained.

With Prevx 3.0 you get great detection and clean up plus excellent support and as an added bonus...no system drag.

 

I will test Sandboxie later this week, it sound like it will fit better into my "try lots of stuff and compare them" mode of operation.

I assume there are issues with program updates just like DefenseWall? In which case I need to run the non-sandboxed version to perform the update.

 

Threatfire offers more granular control and some valuable options for custom rules. One can create network traffic and network monitoring rules and thus, provide some control of outbound or outfacing applications and access - as well as attempts to write to the registry and local file system. TF is indeed similar to Prevx but, there are differences between the two that effectively broaden one's protection - without degrading system performance.

Depending on your network security (local/internal) and on what your users are "sensitized" to, either could be enough alone. From my perspective, if you are dealing with machines that are not always be behind a hardware firewall and email AV (i.e. traveling laptops), then TF with appropriate rules may be configured to be a bit tighter. On the other hand, if you are always behind a hardware firewall and email AV, then Prevx is more than adequate (in our experience) and is the lighter choice of the two.

...just some thoughts for you...

galileo

 

Thanks for that clarification galileo. That helps explain the differences to me.

My clients are always behind AV mail (TLS connection for upload/download via IMAP) so that's good. And few, if any, currently travel.

PrevX seems a better fit for my situation, although I can see the benefits of ThreatFire rules. I just don't want to deal with those rules now, and am willing to take the corresponding hit on my risk factor. Especially since it appears to be modest.

My goal in this was replacing a pure AV with a more robust solution that is nearly as quite. Learning more about DefenseWall and Sandboxie was a huge plus and I am considering the best places to deploy pne or both of those (my internal network is one, as well as few more advanced clients and associates).

Currently I have trouble tickets into PrevX reagrding some false positives. Looking forward to an answer since they are common programs; Deduction pro, downloaded from H&R and Norton ActiveX virus scanner. Only thing so far that is preventing me from ordering PrevX.

 

I'm enjoying this thread because I empathise with the OP's requirements.

There is a lot of great security software that is out there but anything that shies away from the normal usage of your plain, vanilla joe public who doesn't surf on the dark-side involves the user taking a decision e.g. I have just downloaded this software do I run it as trusted or untrusted? do I block/allow?

JP isn't qualified and doesn't want to be bothered with being asked to change his PC habits or do the research to determine whether a programme is safe or not.

I don't want to take a decision.

I want the programme to take the decision on my behalf and I know sometimes the programme will get it wrong with a FP but so what it's rare to hear a beep out of them.

Based on many readings and trying all sorts of software I am back where I started: black-lists.

So, I have Avira, SAS and Defender (Basic membership) with Startupmonitor real-time. Also, I have an account with OpenDNS.

Hence, I will be told of any baddies that are known by those programmes. I accept they may miss something but the risk is so minute I'm not bothered.

I'm not a security expert (but I know where to find some) and I don't want a programme treating me as such.

If the programme thinks there is a problem quarantine the "nasty" and tell me you have done it. Be user friendly and automatically send it to the ether where it will be analysed, unquarantine it if it's OK. (ATM one is expected to manually upload to Virustotal, Jotti or your security supplier) After 7days delete it automatically if it hasn't been passed safe. This should be standard for all Joe Public security software.

Lastly, make it free for JP.

Ian

 

@robbcrg

You are most welcome....glad I could share some experiences. Sounds like your risk/reward asessment is very much like mine - very modest risk delta for reasonable performance and management reward. Generally speaking, a good tradeoff. My goal was the same as yours in moving away from heavyweight AV/AS apps.

BTW: I would agree that Sandboxie, DefenseWall, and Malware Defender will require a steeper learning curve and are inappropriate for the average daily user whose focus is not on security but rather on the useability/productivity of his/her system - which, IMHO, is where the focus should be. The user needs a solid and understandable comfort level with respect to the security of his system but, does not want nor need to be bothered by chatty and/or oblique security pop-ups/messages. His understanding needs to be with respect to the "boundaries of safety" of his system not with how to configure nor interpret security apps....again, IMHO...

galileo