Protecting AV/hips-processes

I have an ancient Excite.com service that will only function on IE with the privacy settings at lowest level

I use Firefox for 99.9% but keep Internet Explorer inside a BufferZone for the few times that it is needed.

When I used Sandboxie, (after about fifth page on excite.com) saw the AntiVir Umbrella close and Guard Service shutdown,
just did a hard shutdown and used GoBack on next boot to restore to a prior point in time and that was the end of that.

Looking in Control Panel; Administrative Tools, Component Services noticed that AntiVir PersonalEdition Classic Service (the Guard)
Properties setting for "Select the computer's response if this service fails:

First failure: [was Take No Action] changed to [Restart the Service]

Second failure: {same default and changed to restart...)

Subsequent failures: [was Take No Action] changed to [Restart the Computer]

Reset fail count after: [1] days?/?

Restart service after: [was 1] reset to [0] minutes
_______________________________________________________________

The above action first brought up a permission box from ZoneAlarm to allow Microsoft Management and this was followed by a Windows Security asking the same.

Would like the EXPERT's Opinions on the above settings

 

That's too simplistic. I am also using Linux and considering to completely switch to this OS - but:

• Even Linux can be compromised by installing software from untrustworthy sources.
• Windows can be considerably more secure by using a restricted user account - that's a basic cornerstone of Linux security. AFAIR from other threads here, you're one of those users who don't follow this important principle in Windows although it also works here - that's inconsequent, sorry. (Vista might offer an improvement in that area for those users accustomed to restricted accounts in 2000/XP. However, many users, who are only used to work as admin, will probably disable this feature in Vista thus undermining an important part of its improved security concept.) Other measures are the replacement of IE and OE as already mentioned in this thread.

 

Hello,

Don't let them blind you with propaganda. Linux can be compromised. Maybe. The likelihood? Very, very tiny. And if you can follow 5 simple principles, you're set - strong password for root, firewall, no ssh, download from trusted sources, update regularly, there's nothing to worry about.

I have yet to read about a Linux user getting hijacked. All Linux advisaries are PoC code by geeks at universities who use their discoveries to get extra scholarships.

Windows LUA is a joke. It does not work. It restricts not only privileges but usage also. Unlike Linux, which actually works.

Vista = improvement in security? More propaganda. All about money. Don't listen.

Mrk

 

Mrk, I like Linux and I'm convinced that it's pretty safe. But in the end, it's the user sitting in front of the computer who matters. Imagine, you miss a special codec not contained in the official repositories. So you add an unofficial repository like PLF as everyone does. Do you know the people running them? Are you sure that they look into the source code of every software they put in (provided they have the knowledge to do this)? I agree that the risk is probably low right now, but I'm afraid that with Linux becoming more popular these unofficial repositories will more and more become a target for malware writers. That's no problem for you if you are disciplined enough to only stay with the official repositories - but will you?

Again agreed. On the other hand, SELinux or AppArmor aren't developed by the Linux community just for fun. There seem to be at least potential weaknesses, otherwise they wouldn't do it.

It has worked for me for many years. Granted - I'm not a player. And Linux has the better approach. But it works in Windows, even for my children.

I disagree. From what I've read in my favourite magazine c't (which is rather Microsoft-critical, by the way) there are some remarkable improvements (like User Account Control (UAC), Windows Resource Protection (WRP), Address Space Randomization) that make it very difficult for malware to compromise Vista. And regarding LUA, c't writes that UAC is a remarkable easement for all users who have already used restricted accounts in the past.

 

Hello,

Sticking to tested / verified / official sources is part of the game - no different than download a trojan and executing it.

SELinux and AppArmor are mainly for enterprise and not home user.

Windows LUA, from the perspective of a gamer, with lots of p2p, sharing, testing etc, it is completely unusable. For browsing the net? You don't need more than a live CD like Puppy. Windows LUA works, just not enough.

I have tried Vista. Its security concept is mainly two more clicks for everything you do, compared to XP. Nothing special about it - nothing that a user won't defeat by just a few more clicks.

But security aside, the major problems with Vista are moral.

Mrk

 

That's one way to describe it. IMO, DRM+"locked" kernel=spyware. Propaganda fits as well, especially when the topic is security. I'm actually glad that they don't support my "insecure" OS anymore. I don't have to worry about something like WGA being disguised as a critical update.

I can't agree with your reasoning. I trust my judgement, but I still protect my firewall executable with SSM. It's Windows I don't trust. Microsoft has never been very open in regards to vulnerabilities, especially ones that aren't fixed. How do we know that there aren't more undiscovered vulnerabilities in the OS itself that allow for the injection of system commands?
All software is vulnerable in some way. Protecting the firewall executable is recognizing that fact and doing what you can to offset such a vulnerability should one be found. On mine, SSM defends and if necessary, restarts Kerio so Kerio can keep attacks from the web off of SSM. Protecting security-ware processes like the firewall is completely in line with layered security. No matter how good an apps self protection may be, if it stands alone, it can probably be taken down, but when several are interlocked and defending each other, they're much harder to attack. This is the same tactic used by some of the nastiest malware. App "A" defends and restarts app "B", which defends and restarts app "A". Ask an experienced malware fighter how tough some of the malware that does this can be.
Rick

 

You must have expected a volley of criticism with that statement?

 

Hello,

herbalist, all of the attacks you mention happen AFTER you execute something on your PC. External vectors are through firewall, browser etc. As long as you keep bad stuff on thither side, it can do nothing at all. You're talking about protecting the system once it gets infected. That's like a divorce settlement - who gets more - but in the end, you have still lost.

cprtech, no. The only thing worth protecting is personal stuff. Making sure some trojan does not havoc your AV? Why? Simply unplug the line and reformat / reimage. Of course, it's best not to get yourself infected in the first place. But if you don't trust yourself, Linux is definitely the answer. Or no Internet. If someone needed special appliance to monitor one's driving, because one's not sure what's one doing, would you still recommend that person to drive - or take a bus?

Mrk

 

No, I use a HIPS for pretty much the same reasons Herbalist explains in his last post.

My goodness, you know how drastic reformatting is for many? For myself and many others, I'm sure, in this forum, it is not such a traumatic step because I have all my valuable data backed up (usually two-a-month), with one copy securely stored off-site, and I use Acronis TI so I can re-image as well, if need be. Unfortunately, many beginners and inexperienced have not learned how crucial it is to backup their treasured data, so that in case of a reformat, it is a disheartening experience for them, not to mention the required drivers for some hardware, all the programs to be re-installed, email configuration, personal account settings. No, I'm not shedding tears for them, but reformatting is usually a last resort for those who have not yet learned the concept of regular backups.

The layered approach to security, including the use of HIPS to support other security apps, is one that I fully embrace. It does not mean I don't trust myself. Nor does it mean I stop learning as much as I can about Windoze, networking, and Windoze/networking security

 

Hello,

I'm not many - I'm me. For me, reformat is nothing more than a fun afternoon. And if people actually bothered to learn how to format instead of uselessly intercept system calls with messages like 'gtrs.exe is trying to modify lsass.exe', then perhaps they would feel better about their computer usage.

If you use the 'many' as standard, then we should all run NIS 2012 and use IE, right? But we are not mainstream. And therefore, we all have our little dogmas.

Mine is one of user = everything. Format = good. Trying to remove malware once infected is:

Trying to outtrick the OS to sappuku itself.
Trying to patch a wound with toilet paper.
Never be sure if your cleaning really worked 100%
Avoid admit the failure as a user of getting infected.

Got infected? Tough. Now you pay the price of reformat. That simple.

Reformat is not the last resort and should not be the last resort. The fact most people have hard time switching their computers on does not really make me consider my own doctrine as 'overkill.'

I see it this way - if you wish to control the OS for these reasons:

You don't trust it.
You wish to contain malware when it happens.

It means you are missing the real fun of the Internet usage.

Malware should not happen.
You should use an operating system that you trust.

Mrk

 

Actually, before it happens

In a perfect, anal-retentive computing world we would never make the mistake of allowing malware onto our machines. Afterall, we are human; we fatigue, stress out, forget, overlook details, get distracted. The security package is simply there as some added insurance to help prevent the possibility of malware invasions. Besides, I also like the HIPS as a learning tool. It nicely reveals in its alerts and logs just how much influence common Micro$oft processes have on the system.

BTW, I do agree with formatting or re-imaging to eradicate malware, but it is a difficult step for “many”. Just take a look at the number of victims in the Castlecops forum on the long waiting list to have their machines disinfected by the malware experts...because formatting is, regretably, a last resort for them. It’s kinda' disturbing

 

i hate formating on my own pc.
sure it means the pc is faster but its a pain in the ass for me.
i just want to get home after a long day at college and all the long bus journey and use the pc.
i dont wanna have to reformat tons.
i could reformat and get all the drivers and make sure its all backed up.
the only thing i fear is having to re import all the atrac3 music for sonicstage
lodore