Question

Hi,

I see some members (Tlu, Windchild, Lucy) pledging for using you OS internal mechanisms. On the other hand I see a lot of members running admin using HIPS and some sort of virtualisation. Somewhere in between I see a few active members (Kees1958, Sully) exploring the edges of the OS to find a 'safer' and still 'flexible' Admin environment.

All these post and threads have given me the following impression
a) some members invest in a more expensive OS version and use it security potential to the max and live happy with light and solid protection
b) most members buy home version OS-ses and run Admin with their choice of protection (mostly HIPS/FW and/or virtualisation)
c) a minority (Sully and Kees195 uses the OS-internals as an admin, they come with new angles to get strong protection, but overall their solutions are more to difficult to implement.

To me the A option is a past station, simply because my new laptop came with Windows 7 Home (and Microsoft does not has a wallet friendly trade up option). The C option looks very appealing to me, because of the low overhead (compare Kees1958 Browser startup times of a second with f.i. Sandboxed browser startups of 5 to 10 secs cold). In the sandboxie tread I also 'feel' some post are questions for help to put forward problems and negative thoughts about Sandboxie (so delay is exaggerated IMO)

I am doubting between B and C, so therefore the following question

a) What is your FW/HIPS or virtualisation solution?
b) WHat is the difference in browser startup time when having enabled protection and what is it without it? (first cold and repeat startup)

Thanks

 

Hi,

I can give you only the example of my wife's laptop Athlon X52 @ 1,6 Ghz

On XP home with DefenseWall + Avast file shield only
- cold IE8 startup 4 secs, hot <2 secs
- cold Chrome startup <3 secs, hot 1+ sec

On Windows7 Ultimate 32 bits with OS-only + Norton UAC tool + PrevX Safe Online
- cold Chrome startup 2 secs, hot < 1 sec
- disabled IE8

Other changes also were accompied with hardware changes

 

here PE Guard 2.1 very soon will have registry protection WinPatrol PLus and some registry tweaks for peace of mind

 

Well glad you are a happy camper, but what is the difference in first launch and repetitive starts of your browser, with this setup and without those security programs running?

 

what do you mean?

 

See Kees1958 answer

Time of first and second start of your browser, with and without having PE Guard, WInpatrol, hitman pro running?

 

it is same speed like 3 to 5 seconds for booting up after restart

 

Option C DOES takes a lot of effort to implement.
(Because later you can get software crashing, like i had with all the browsers, and some stuff more when i enabled SRP)
BUT it's worth imo

 

Those members supporting common methods (Tlu,Lucy,Windchild.. you may as well include wat0114 too ) are knowledgeable chaps with a tried and true method to teach. Anyone would do well to take note of their favored methods, because they work. Whether or not they are what you want is something only each person can decide. I have no problems at all with their approaches, in fact I think it is the best way to tread if you can.

Others who use HIPS and all that, I personally think most of them just like to know and control. Some learn with HIPS as it is a great teacher, some just have to have that level of control. Nothing wrong with that either if you dig it.

And then we have those like myself who either just like to experiment, or for whatever reason will not leave admin status, or perhaps just are tired of all the rules and configurations that hips brings. I can't speak for everyone, but for myself I am always tinkering and refining approaches that can be somewhat complicated to implement, but also don't require much in the way of maintenance either. It doesn't always work out that way, but it is the goal for me.

So, which way is faster, better, more secure? The answer is none of them and all of them, totally dependent upon who you are and what you know. Option A is the easiest to implement. Option B is the option that will work if you learn enough to use those security tools properly. Option C, I think the verdict is still out on that one because it is still in a constant state of flux!

Sul.

 

If you are going with HIPS, there's really not anything much better than Defensewall. Some people go with Sandboxie, I personally prefer Defensewall.

I use Defensewall + Prevx (free, not SafeOnline) on Win 7 x86, browsers are Opera and Chrome, browser startup times have gone up by MAX 1 second (and I really do mean MAX). Then again, it's a relatively fast machine with an SSD.

With Defensewall, the golden rules is if you don't know it, check it out, verify it, only then trust it. Follow the rule, and getting infected is... Let's just say no matter how many times I've tried, I haven't managed to bypass it yet, and boy have I tried hard. There's not much learning with Defensewall, and there aren't a host of pop-ups: I've got several non-technical people to use it correctly with a 2 minute explanation.

 

Hardware firewall.

FF starts in half a blink normal and a blink sandboxed here, both hot or cold starts.

You could try setting Sandboxie's working/storage folder to a ramdrive and see if that improves things speed wise.

The good thing about using a no restrictions system, well at least for me, and Sandboxie/Returnil is that you can see what's going on and easy to harvest any malware droppers from within the sandbox.

 

Thanks,

I noticed some people mention 5 to 10 and one even 20 secs delay using SandboxIE. As mentioned in my post I got the idea that the help-me questions were more directed to making SandboxIE look bad. Also I have the impresion that disk virtualisation (e.g. Retunil or simular) do not have noticeable delay issues.

What are the specs of your hardware?

A blink for you is a second?

 

Xeon quad @ 2.66, Win 7 32 bit.
8 gig ddr2 1066
Ramdrive for Sandboxie's storage folder.
And yep a blink is about or a bit less than a second.

 

My recommendations:

• Use either a standard account (my choice) or admin account in UAC approval mode
• Use anti-executable technology. You don't need an upscale version of your OS to do this. You can use Comodo Internet Security as an anti-executable, for example.
• Audit permissions regularly to keep your OS-provided sandbox strong.
• Optionally, run your browser as a low integrity app, if possible. I do with Firefox.
• Optionally, use real-time anti-malware. I do.

I'm not sure whether this is closest to configuration A, B, or C from the first post. All of this can be done with downscale operating systems for free, except for the cost of the OS.