Setup for parents.

Discussion in 'other anti-malware software' started by Newby, May 27, 2008.

Thread Status:
Not open for further replies.
  1. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Hi,

    I am setting up a security setup for my parents. It is an old XP home SP3 box (Athlon 3700 with 1,5 MB and Sata-1 250 MB drive). Used Safe Xp for some hardening and dropped some useless services. Gave them a maxtor external drive for baclup (freebie Maxxblast for image and synchback for data).

    I guess they are relatively safe surfers (I do not want to know), they would be using it for on-line gaming (bridge with players around the world, not the shoot and kill stuff), browsing, music download (P2p), e-mail and sending photo's to family abroad.

    They are behind a simple Nat router (no SPI/DPI), via a wireless card connected through the internet (cable broadband)

    I would like a pop-up less defense, which is lean and preferably in Dutch.

    I opted for the classical FW + AV + HIPS, but in a trimmed down mode


    An easy firewall.
    I have tried many, most of them are way to difficult or loud (pop-ups). Every time I came back to Sunbelt Kerio Personal Firewall. I know it has a history of being buggy and slow. Just try installing it in advanced mode and opening Limewire, that confirms all the negative press around it, but . . .

    When you install it in easy/no pop-up mode AND disable all logging features (also of the paid HIPS features when using the free version) AND disable the NIDS and enable Behaviour detection with (allow to start aps, warn on changed aps, allow aps starting other aps) and disallow traffic in startup/shutdown it is actually quiet good. The disk throughput speeds are back to normal (depending on settings you can loose 20% speed), KP4SS.ese uses little CPU time (< 3 secs in 1.5 hours browsing), the two user kpf4GUI aps stay on zero CPU time. After installing their PC, opening Internet aps, the sKPF stays quiet.

    What I like about sKPF is that it also warns on changed exe's (post crime warning) and when it throws a pop-up, it is a real threshold with a clear warning (not just a small tray pop-up which remembers the previous tick boxes for ease of making mistakes).

    Easy HIPS defense
    It was all second hand PC, and it is not the XP pro version, so I can not implement policy regulations. Therefore I choose DefenseWall because it is a real strong HIPS, with no pop-ups. I also has the advantage that it remembers all untrusted files, starts to auto protect untrusted files in download directories after 15 days (still keeping them unrusted, but other untrusted sources are not allowed to change them anymore), has auto clean features for the message and file/registry logs. So basically is an install and forget setup. I used resource protection to sharpen up defense.

    Limited AV protection
    My father will run a complete scan before monthly image and data backups. I will keep a clean fresh install image, and he will keep two versions (latest + previous) as rolling backup. I choose Avast because it is in Dutch, have set it to perform a rootkit scan and memory scan at startup (but delayed after system services, so it does not slow down log-on). I only use the modules network shield (because sKPF is fater without NIDS), Internet mail shield, P2P shiels and web shield. And I have installed it wothout skins, making the User Interface easier to use (the steps are explained in the scan). So I only check incoming data.

    Round up
    - sKPF = in + outbound traffic + image execution code check + no traffic at startup/shutdown
    - DW = all internet facing aps are sandboxed as are downloaded files + some added protection of HKCU hives and program directories of Avast and sKPF
    - Avast = startup check (delayed) for rootkits and memory, no realtime check only incoming data (network for worms, internet mail, P2P, web)

    Feedback appreciated when
    - it is a easy in daily usage (no pop-ups), when popping up preferably in Dutch
    - it is light


    Cheers N
     
    Last edited: May 27, 2008
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
  3. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Hurst

    Thx, I had a bad experience with Norton Internet Security 2005, so . . . Norton 360 did not come into mind, although a lot are recommending it.

    I have read that thread and tried Kees1958 combo, was very good & very safe, but I thought TF was a bit heavy on the machine. Most of the times it really went smooth, TF kept a low CPU usage, then all of a sudden it spiked up, locking the machine for a few secs. According to other members TF only spikes when mitigating malware (impressive logs it keeps of running aps), but I could not understand what the reason for those CPU spikers were.

    Sorry yes they do on-line banking, that is why I think DW + simple FW will do.
     
    Last edited: May 27, 2008
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Since they are on XP you may want to consider an alternative browser like Firefox or Opera. They will just have to check to see if their banking site is ok with either of them. I believe you can download a FF add-on that will render FF as IE though. Also, several other security type add-ons with FF- noscript, etc. Maybe also something like keyscrambler?

    http://www.qfxsoftware.com/index.html
     
  5. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Code:
    route -p add 69.50.160.0 mask 255.255.224.0 [B]Their IP goes here[/B] metric 1
    route -p add 85.255.112.0 mask 255.255.240.0 [B]Their IP goes here[/B] metric 1
    route -p add 216.255.176.0 mask 255.255.240.0 [B]Their IP goes here[/B] metric 1
    route -p add 194.54.88.0 mask 255.255.252.0 [B]Their IP goes here[/B] metric 1
    route -p add 81.95.144.0 mask 255.255.240.0 [B]Their IP goes here[/B] metric 1
    This will block access to all IPs within those ranges . Its super easy to install and remove and conflicts with nothing . You can modify it with your own IPs you want to block .

    We tested this at a few forums but since it does not work on dialup or DSL with a non router modem we did not make that big a deal out of it . On any system with a router it is a nice way to add a zero downside layer to security and since it needs no updating and is proactive it is perfect for people without much computer knowledge .

    To remove :

    Code:
    route delete 69.50.160.0
    route delete 85.255.112.0
    route delete 216.255.176.0
    route delete 194.54.88.0
    route delete 81.95.144.0
    EDIT :

    In case people are wondering if MBAM is adding this , no , we have something better in the works .

    We just could not make this work on 100% of systems .
     
  6. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    I vote for a limited account with a disallowed by default SRP. :thumb:
     
  7. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Elitekiller,

    Thanks, I tried that. But I got an error when adding an user. Seems that something was removed of the XP setup, so I am not able to create a limited (or other user).

    That is why I trail DefenseWall now.

    When you have any clue, what might be the cause of this error, please post.

    I did not do the hardening, my father did it, so I have no idea whether he removed a service nessecary to create new users. They also have purchased some music (for more than € 100 euro). I was so clever to make a backup image before I reïnstalled XP Home. After the reinstall I was able to create a user, but all their DRM licenses were gone. So I put the image back again.

    With my limited knowledge this is a catch22 situation for me. DW sort of obtained the same benefit of LUA (even safer) when running admin.

    Thanks for responding

    Cheers N
     
  8. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Nosirrah,

    Sounds impressive and simple to me, let me rephrase so you can determine whether I do understand

    So route - p etc is a command I enter in the dos box (command.com)

    Is this a fixed IP address or the IP address of my parents?


    Meaning ??

    So it is crucial to have a router/modem on cable?


    Could you explain the concept/benefits of a "zero downside layer"?

    Much appreciated

    Cheers N
     
  9. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    I have installed Opera, much faster and I found skins which makes Opera look like IE (there are also FireFox skins). I tried to add a spelling plug-in, but could not get it working with the latest Opera
     
  10. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Turn the whole thing into a batch file , paste intio .txt and rename to .bat .

    First of all this is not what route was designed for but if you break it just right you can make it block IPs instead of reroute .

    69.50.160.0 mask 255.255.224.0 <- this is the start IP and the mask determines how many IPs total .

    Their IP goes here <- use IPCONFIG from CMD to get this . Its on the line : IP Adress ..................... . So if their IP was 4.4.4.4 the lines would look like :

    Code:
    route -p add 69.50.160.0 mask 255.255.224.0 4.4.4.4 metric 1
    route -p add 85.255.112.0 mask 255.255.240.0 4.4.4.4 metric 1
    route -p add 216.255.176.0 mask 255.255.240.0 4.4.4.4 metric 1
    route -p add 194.54.88.0 mask 255.255.252.0 4.4.4.4 metric 1
    route -p add 81.95.144.0 mask 255.255.240.0 4.4.4.4 metric 1
    As far as no downside , this does not seem to change system performance at all and from my testing does not ever seem to break anything (other than access to malicious IPs) .

    It does not work on dialup and does not work on a DSL non-router modem .

    To test this take any site within those ranges and confirm that you can get there before the batch but not after .

    datahealer.com <- this is a rogue home page that does not have any direct infect abilities . I just tested and it worked fine before I installed the batch file but after it was dead . I get a google search like I tried to enter a site that does not exist .
     
  11. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Isn't a HOSTS file more practical than this solution?
    What are the advantages/disadvantages?
     
  12. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    What if a bad IP adds new domains ?
    What good with a hosts file do then ?

    If a bad IP block of lets say 100 IPs has 25 domains per IP , that is 2500 lines in a hosts file , its still just one line with this trick .

    Take a look at the ranges that this blocks , those NEVER need updating and are proactive .

    BTW , when I said it conflicts with nothing , go ahead and add a hosts file on top if you want , it wont hurt .

    The main goal of this trick is to block stuff that is bad before it even gets a chance to be bad .
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Nosirrah,

    So it is basically the same mechanisme I used with old Nat routers to reroute port 139 calls into eternity and get it stealthed instead of closed.

    I do not use a host file because of the performance impact. This is a viable alternative. Are the IP's mentioned the ones which cover up most malware ranges or do you have to make your own batch file with all bad IP-ranges?

    Regards Kees
     
  14. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Not all bad places but a very good start . If you are interested its not hard to look up what the experts recommend to block at the firewall or router level and convert those ranges into IP + mask .

    The ones I posted are these :

    EST Domains : 69.50.160.0-69.50.191.255
    InHoster : 85.255.112.0-85.255.127.255
    InterCage : 216.255.176.0-216.255.191.255
    Top Management : 194.54.88.0-194.54.91.255
    Russian Business Network : 81.95.144.0-81.95.159.255

    This is also a great way to block access to websites you dont want employees on in a way that they are unlikely to be able to reverse . You could add some permission funny business on top to make it even harder .

    As far as I know RunScanner is one of the only tools that scans for this .
     
  15. Trendstone71

    Trendstone71 Registered Member

    Joined:
    May 30, 2008
    Posts:
    7
    Kaspersky Internet Security 2009
    (still in Beta), but have an eye on it.
    In June, they are about to Officially Release it.

    It is light and very effective!

    An All-in-one Solution:
    A Reliable AV and the best FW found in a Internet Security Suite.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Trendstone, I believe what you are saying, but what about the annnual renewal costs? I interpretate Newby's post as this being a crteria also .
     
Loading...
Thread Status:
Not open for further replies.