Reduce Software

Discussion in 'other anti-malware software' started by TerryWood, May 24, 2008.

Thread Status:
Not open for further replies.
  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi All

    Appreciate your views on whether its possible to reduce the amount of security software I am using?

    Win XP SP2

    Firefox +KeyScrambler + NoScript + Adblock & Opera
    Avast Home
    Comodo PF 3 plus Defence +
    Returnil Free
    Sandboxie with separate sandboxes using wraithdus Process Group config
    SetSafer (DropMyRights type of program) on all I/Net facing programs

    On Demand

    AVG AntiSpyware

    Super Antispyware Free

    Questions

    1) Can I do away with avast and/or Comodo

    2) Could I replace Comodo plus Defence+ with Threatfire in the above setup?

    3) Do I need on demand Scanners (Not found any nasties for many months since setting up separate sandboxes plus allowing only one program per sandbox)


    Thanks

    Terry
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Any malware that bypasses your security software will be removed by Returnil, because Returnil doesn't allow any change in your system partition. So this is a very strong protection, if you use it right.
    The only possible reason why you still need scanners and on-demand scanners are NEW objects downloaded by YOU.
    No security or recovery software will protect you against downloading and installing infected NEW objects.
    That's all I have to say.
     
    Last edited: May 24, 2008
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    Technically, almost any setup can be reduced. It just depends what the user wants.

    Anyways: if you have a router/firewall, you can remove Comodo.

    You could also remove SetSafer. I think Sandboxie is enough. Or vice versa.

    ***********************************************************

    1. You can get rid of avast if youre brave enough. See my above comment on Comodo.

    2. Comodo is a firewall and Threatfire is a behavior blocker. Theyre different.

    3. Probably not.
     
    Last edited: May 24, 2008
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Terry,

    You might consider this (when after a router)

    First Level: XP Firewall (only when using wireless, otherwise you can set this off also).
    2nd level: RunSafer (mitigates all internet facing aps with limited user rights)
    3rd Level: ThreatFire (free or pro) as AV and Behavior Blocker

    Options
    For dangerous surfing use on demand Returnil or Sandboxie (partition virtualisation is a no-brainer for ad hoc as on-demand usage).

    You could still use Avast for incoming data streams (the network/Internet/e-mail/P2P shields) but turn off standard shield because TF performs this function in a different way. You can still use Avast forf on-demand scans.

    Ad 3:
    add a custom rule to TF, using the wizzard

    When any process creates 1 network connection, except when the process is in the system process list

    Name of the rule
    Outbound connection created

    Description
    Outbound connection created, Click on "learn more on this threat"

    <use ctrl enter to continue on next line or create a blank line when entering this text>

    Choose KILL or ALLOW when in doubt, otherwise ALLOW + REMEMBER

    ThreatFire checks its AV-data base at any intrusion, so the program is not a known malware, click learn more to check the internet.

    Now start all your internet facing applications and choose ALLOW + REMEMBER, next do an update of Windows, DefenseWall, create a restore point (also seeks outbound) and any other program you have that requires periodic updates, also choose ALLOW + REMEMBER for those programs.


    Or is this to much reduction :)
     
  5. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi All

    Thanks so far.

    I do not have a router just a USB modem and the previously stated software

    Terry
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Tery

    1ST
    As said WIndows XP buid in firewall or CFP/D+ as explained in https://www.wilderssecurity.com/showthread.php?t=207773

    2nd: SerSAfer for internet facings aps

    3rd: ThreatFire when with XP firewall with additional custom rule for outbound custom rule or when using CFD/D+ out of the box)

    Option, Keep using Avast on incoming data streams only PLUS on-demand
    OPtion, Returnil/SBIE (not both)
     
  7. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    Do you download a lot? On demand scanners are handy for scanning all downloads. Of course you can always upload any file under 10MB to Virus Total or Jotti for scanning. I still like to scan with my on demand scanners because once you run a file, it's probably game over if it's infected.

    By the way, your setup is very similar to mine. I only use Returnil when needed but I use Sandboxie daily. I also use DropMyRights. Avira watches my back and OA2 alerts to anything out of the ordinary.
     
  8. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi

    I download but only moderately, an occasional fling but thats it.

    Thanks

    Terry
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Terry,

    Your question made me re-assess my security set up.

    Being a former IT specialist (that was 18 years ago, systems design, data base administration and mainframe/green screen communication specialist), I have a great trust in policy and rights management.

    Since XP Home versions come without policy management, and this policy management is way to difficult for the average PC user, I have bought DefenseWall (and also GeSWall to try both out).

    I now have on XP sp3 box:

    First level of Defense
    Network stack is the first contact with the external world, therefore you need a firewall. When you are not a firewall specialist (which are loaded with classical HIPS functionality, eg D+ of Comodo), the default XP firewall will do for daily home PC issues.

    Second level of defense
    This is the process stack. When you use SetSafer to run all your internet facing aps as limited user, you will cut out at least 95% of the problems, by reducing the attack surface (running Threatgate applications as limited user).


    Third level of defense
    Realtime check on known malware on INCOMING data streams only!
    I suggest you re-install Avast and only use the Network shield (filters on worms and backdoors), Internet-mail OR e-mail shield (depending on using outlookexpress or outlook full), P2P (when you use limewire, otherwise skip), Messenger shield(when using messenger, otherwise skip). Do no install the standard shield (it is the realtime AV-component, ThreatFire will after this), To increase speed of system startup I have delayed Avast loading until after system modules (is an option in the trouble shooting section). You can still perform on demand scans in this Avast configuration.

    Fourth level of Defense
    Install ThreatFire, add the extra rule for outboud protection. When executable code and data arrives on your harddisk, TF will guard them, not by scanning all actions or trying to control all attack vectors (like D+ of Comodo). In stead it monitors sensible area's of your PC and looks for bad behavior. When an intrusion triggers ThreatFire, it will track all actions of the intrudor. When the intrudor has collected enough bad behavor points, TF will trigger a pop-up AFTER checking its Anti Virus blacklist data base first. So when TF warns you, you known that it is not a known malware. So it can be a false positive or a zero day threat. TF has a reputation of throwing close to zero false positives at you. Besides that you can always Google for the program causing the warning (just click "learn more on this threat".
    Consider TF your gate keeper/goal keeper protection you system on process and data level, with a blacklist and behavior blockinh HIPS.

    AD HOC Fifth level of defense
    Use Returnil for dodgy web surfing, It works dead simple: it protects a compleet partition/hard disk by virtualising changes made (sort of copy of the execution environment). Nice thing is that changes are made in the virtualised file system, not in the real environment). Virtual copies can be purged at next log-on/system boot up.

    In stead of level 2 and 5, I run DefenseWall (remembers untrusted state of downloaded files/programs, therefore chaining them to limited user rights mode, which paralises 99% of the malware (chaining in stead of throwing data away as with SBIE or Returnil).

    Regards Kees
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.