Protection against malware without AV

Discussion in 'other anti-malware software' started by Tanotia, Mar 10, 2009.

Thread Status:
Not open for further replies.
  1. Tanotia

    Tanotia Registered Member

    Joined:
    Mar 10, 2009
    Posts:
    10
    My current configuration...
    Anti-Virus: GData AntiVirus 2009
    Anti-Malware: ASquared Anto-Malware
    Firewall: Comodo Firewall
    Browser: Firefox with NoScript

    I am looking for a another program, maybe two, to protect my system should the antivirus miss a 0day threat. I have tried ThreatFire, Pervx Edge 3, DefenseWall, and DriveSentry.

    I disabled GData / ASquared and downloaded a 4 trojans and worms to test these applications. Out of 4 malware threats ThreatFire (set on max) detected one worm which was trying to inject code into Kernel32. Pervx detected 3 files. DriveSentry picked up all the threats on execute. I'm not sure if DefenseWall worked at all, it didn't seem to do anything, but did allow all the malware threats to execute and install into the system.

    Am I right in saying that Prevx EDGE 3 is only a malware scanner based on a online database?
    What exactly does DefenseWall do?
    Finally which applications should I use to compliment my antivirus program?

    Thanks for the heads up!
     
  2. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,219
    Welcome to Wilders.Your thread title is a bit misleading in terms of what you are asking.

    I personally think that GData is enough along with Comodo and Firefox. You should learn how to effectively use DefenseWall -a sandbox HIPS- (I haven't heard one single complaint about it, although I don't use it myself) or try alternatives: Sandboxie (sandboxes your browser), Returnil (virtualizes your HD, it has a free version as well), Shadow Defender (another virtualizer, my choice).

    Using a sandbox/virtualizer makes redundant any antimalware type of program like ASquared (IMO of course). If I were you I would make my first priority adding an imaging program that works to your system (which means backing up your system and trying to restore it).
     
    Last edited: Mar 10, 2009
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Well you are going to get allot of different anwsers so here it goes!

    I use NOD32 with Prevx Edge is all you need and use SUPERAnti-Spyware Free and Malwarebytes' Anti-Malware Free for weekly scans and WinPatrol Free is also good for changes made to your system!

    And Comodo is a very good Free Firewall if you want to try another good one go with Online Armor Free or paid version!

    In the end it will be up to you what you want to use!

    TH
     
    Last edited: Mar 10, 2009
  4. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    You're setup is fine, so you don't really need to add any other realtime protection.
    Although you mentioned you used Threatfire and Prevx Edge.
    I suggest you use any one of those as an additional layer of defense. It will compliment your current setup.
    Though DriveSentry can cause a conflict with your primary AV (G-Data). Running 2 or more AVs simultaneously in realtime is NOT recommended.

    You can also try using a variety of virtualization/sandbox programs.
    Like previously mentioned by Osaban, you can try using Sandbox (sandboxes your default browser). Also add HD virtualization like Windows SteadyState, Returnil, or Shadow Protect, and you're good to go. :D
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It's a policy-based sandboxing-style behaviour blocker that limits file, registry and system resources access for untrusted processes.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool;)
     
  7. Tanotia

    Tanotia Registered Member

    Joined:
    Mar 10, 2009
    Posts:
    10
    I installed defensewall using the administrator account, but use a limited user for daily surfing.

    Some malicious programs insist on running as administrator, when they do defensewall does not stop them infecting the system even as untrusted processes.

    Any ideas?
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    that is very strange cause as now i dont know any malware that can bypass defensewall when malware is run untrusted is put to jail:)
     
  9. Tanotia

    Tanotia Registered Member

    Joined:
    Mar 10, 2009
    Posts:
    10
    I have a laptop with XPAntiVirus2009 which is keen to tell me I have 17 trojans and insists on $49 to fix them. Of course Defensewall should have "jailed" it, but its in the program files and registry.
     
  10. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    It is rogue software. DefenseWall offers you Rollback function from Files and registry traces. So if you know how you can easily removed them from your disk. But you don't have to. Just click on the Stop Atack button in DW or restart your computer - all these files which rogue software installed to your computer do not have any rights to do mess in your system. :thumb:
     
  11. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Did you get XPAntiVirus2009 before or afer you installed DefenseWall?
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    XPAntiVirus2009 is a malware itself. Do you really trust everything what is written (or told on TV, doesn't matter)?
     
  13. 3xist

    3xist Guest

    Following up on Iyla's post, Just because a malware is on the HD or Registry does NOT mean it's executed.

    This is how Comodo's Defense+ HIPS work. Defense+ stops malware from "executing", People get confused and say "Well hey, it's in my program folders" but Defense+ STOPPED it from executing, There is a difference. Execution is the key here.

    Not sure how DefenseWall works though, But backing up Ilya's statement.

    All in all. You need a layered security architecture with Prevention (Whether it would be DefenseWall or Comodo Defense+) as your first line of defense, and an AV comes 2nd as detection.

    Cheers,
    Josh
     
  14. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Totally agree.
    1. prevention
    2. detection
    3. cure (i.e. backup software)
     
  15. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    If it's operative(spamming false positives) it is allready executed.
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    now he has to get the fileassassin(mbam)to get rid of this litle bugger:D "Ditto"
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Defense+, as far as I can tell, won't stop malware from executing. The user will. ;)
    Unless, a newest version automatically blocks known malicious software. Is that it?
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    no,you can easilly configure D+ to fully lock down your system tight, block the running of installers,drivers,dlls,etc,etc if you want to:D but is not by default you will have to dig into it and play with it to find it's fully potential;) (not out the box ofcourse)
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, that wouldn't make the system very usable, or easily usable. :D

    So, it still works the very same way I used to remember (not so long ago).

    It was Exist's comment that made me wonder if now worked different, when he said
    Defense+ won't block malware. Defense+ and other HIPS won't block, unless the user gets alerted for something, and the user then decides whether or not that's something that should be or not happening, and then, yes, block or allow.


    Regards
     
  20. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    If it you've executed the program and it's already installed on your system,
    you will need to use a good anti-malware scanner to remove it.

    I highly recommend MBAM or SAS.
     
  21. Tanotia

    Tanotia Registered Member

    Joined:
    Mar 10, 2009
    Posts:
    10
    Should DW stop malware infecting the system if the malware is run as administrator and DW is not? Even when the malware is untrusted.
     
  22. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    DriveSentry is more of a classical HIPS with an AV component. Just disable one of AVs or have them scan at different times so they don't conflict. They can get along happily. I use Geswall as my sandbox. It works with any browser or program that connects to the Internet.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This discussion, 'Protection against malware without AV' seems oriented towards experienced users, yet I don't see that anyone except one person has mentioned what it is that you are protecting against.

    'Malware' is a loaded word, which has no practical meaning without describing the delivery mechanism. Not knowing that, how do you know what you are protecting against?

    If you take malware that is delivered via a Port, such as the worms, Blaster, Slammer, (they are still around!) and the recent conficker.a, then the appropriate protection is, of course, a router or firewall. A check of your log will show this protection doing its job by blocking the Trojan/Worm Ports. This can be referred to as the outer perimeter: Nothing gets inside.

    Log-trojanports.gif

    How about malware delivered via a web exploit? If you have Opera or Firefox, what else do you need? Is there an exploit out there that delivers a trojan that is successful against these browsers when properly configured? Give a URL so we can test. All target IE.

    These are the ways malware can sneak in, and unless someone can show a URL that has an exploit that can penetrate the above, then I submit that those protective methods are sufficient. The Firewall and the Browser effectively stop malware at the outer perimeter, if you will: Nothing gets inside.

    The other way malware is delivered is when the user gives permission to install. Ilya in Post #12 has addressed sufficiently what you are protecting against. That said, we can eliminate consideration of that method of delivery in this discussion.

    The recent PDF exploits have given concern to some, so in the event you think you might open one of these infected files, you say, How to protect against it? This is easy, because the shell code in these files calls out to download a trojan executable.

    TROJ_PIDIEF.IN
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.IN&VSect=T
    Now, we don't have one of these files to test, but we can simulate the remote code execution method with an Autorun.inf file.

    Take any installation disk and put into your CD drive. You need to enable Autorun for this, because you want to test your protection against an unauthorized executable from running. Here, I use a Photoshop installation CD. It uses an executable, Autoplay.exe to start the installation process. If the installation starts, I submit you are not sufficiently protected at the outer perimeter:

    photoshopAutoPlay1.gif

    However, since this executable is not permanently installed on my computer, I submit that it should not be able to run
    without my permission:

    photoshopAutoplay.GIF

    This could be malware in a PDF rather than Autorun, and is easily prevented by many solutions other than AV.

    I don't consider a Sandbox to contain malware after it executes as a solution, for in my view, it is a poor excuse for not understanding how to prevent the malware from penetrating the outer perimeter and executing.

    CONCLUSION

    1) No discussion of preventing malware is useful without knowing what you are specifically protecting against.

    2) Looking at the way malware penetrates (is delivered), protection against malware without AV is certainly possible, and it can be argued that all that is really needed are

    • a Router or Firewall

    • a Browser other than IE.

    • Ilya's advice in Post #12
    3) For the "what if" remote code execution scenario such as a PDF exploit, anything that blocks the malware at the outer perimeter will work. So, add to the above:

    • one other solution (I use 'solution' rather than 'product' because some use SRP which is not a separate product)

    ----
    rich
     
    Last edited: Mar 14, 2009
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The solution isn't everyone ditching IE, which is now safer than other previous versions, and start using, let's say Opera.

    What would result from this action? Opera would be the most targeted browser, at the image of what happens with IE.

    The more people using X browser, the more targeted it will become. The solution is for everyone not to use the same browser.

    The reason why I don't use IE/Firefox for most of by browsing, is due to the fact that Opera isn't as widely used as IE and Firefox, hence less/practically not targeted.

    But, what would happen if, let's say, 90% people would start using it? I guess that, by then, people would go back to IE, for not being as targeted as Opera? Then what, move to Opera again?...

    Just like F-Secure mentions here, about the PDF exploits for Adobe and not only (http://www.f-secure.com/weblog/archives/00001623.html)

     
    Last edited: Mar 14, 2009
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You make very good points, m00nbl00d.

    While I used Opera/Firefox as examples of browsers that are not exploited, I did conclude by saying "a browser other than IE." There are many besides Opera and Firefox -- often some are mentioned in the Software forum here.

    Yes, IE is becoming safer, but is still slow to patch exploits. I would not use IE without some added protection against remote code execution exploits.

    As far as PDF readers: left unsaid is that many, including myself, use older versions of Adobe Acrobat which are not vulnerable to the current exploits. This can be confirmed in the Adobe advisories where the vulnerable versions are listed.

    This of course would negate the need to worry about malware via PDF files, therefore, no other security product necessary. But you can apply this idea to other delivery methods of malware, which I did not discuss, such as SWF files (Flash).

    Experienced users who take all of this into consideration just reinforce the idea that not much security apparatus is needed at all to maintain a safe computing environment.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.