Some help needed

Discussion in 'other anti-malware software' started by HURST, Oct 25, 2007.

Thread Status:
Not open for further replies.
  1. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Hi all.

    I don't trust my malware protection anymore (see my sig for details), as it seems my computer got infected yesterday. Since I don't trust my protection, I also don't trust that the removal was 100% or that I don't have other nasties fooling around in my laptop.

    So I'm performing a full clean install of XP :)thumbd: last one was only 2 months ago and I didn't made an image of the fresh install).

    I'd like some suggestions, right now I'm thinking of the following setup:

    1.- Image of fresh install
    2.- Image "1.-" + applications
    3.- Incremental backups every 2 weeks

    4.- Keeping NOD32
    5.- Returnil

    I'm also thinking of a behavior blocker. Is this really necessary with Returnil? I'm doing my research right now, since this is a new topic for me and I don't know much about them. If you could suggest some to try... I prefer freeware, but if a paid version is way better, that's ok. Right now I'm going to try NeovaGuard and EQSecure.

    I also would like to know what is exactly what GesWall does and how does it work. Would it be a good addition?

    How does Windows SteadyState compare to Returnil in terms of: configuration capabilities, ease of use?

    Thanks

    PD: the other way to go is linux, but PLEASE don't suggest that in this thread, as i'm already testing it :D
     
    Last edited: Oct 25, 2007
  2. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Heres what i do,
    1. Install OS, make an image
    2. Update OS, make an image
    3. Install apps, make an image
    4. Tweak settings, defrag, make an image

    I wouldn't say a BB is necessary however i don't know if returnil is bulletproof. Having the extra security layer of a BB could be helpful should returnil fail.

    Geswall restricts certain programs from accessing important areas of your computer. Personally i use defensewall which does the same thing, however its not free.

    Steadystate works much the same as returnil and has similar features. I'd say its a little harder to use and i found it to be quite buggy on my system. One advantage it does have over returnil is the ability to revert changes after multiple reboots.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi

    I have both (GW and DW) and DefenseWall is easier to use. Although Brian (of GW) is absolutely helpfull. GW is jus a bit faster than DW.

    I am wondering how you got infected with Returnil on. ThreatFire free is a good ap. I personally do not see what is the use of having a virtualisation program and a policy HIPS sandbox. Ilya of DW is pretty clear about virtualisation, although Sandboxie seems to be as strong as GW and DW. I just bought DW and GW (for different PC's) to see which would be best. So far they are pretty much equal with DW being the one which is trouble free (DW once blocked the new DRM implementation which lost us some music files, but Brian reacted within two hours). GW is a litte bit faster that is why my son (Gamer) preferred GW on his old PC.

    On all three PC's we only use a sandbox and a behavior blocker with no AV and we have never run into any trouble. I guess that PRSC (paid) is the user friendliest (and only choice on Vista64), ThreatFire is very strong, A2's IDS is available in a lot of languages. When you understand English very well I would choose the free TF.

    When you have a maxtor or seagate you can use free image backup program (like Maxxblast). Syncback free is an easy to use backup program for your data files.

    Regards Kees
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Thats because right now I'm not using Returnil. I'll add it after the new XP install to avoid infections.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Okay I understand. When you are happy with Returnil you would not need a soft sandbox like GW or DW.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    There is a long list of good security software. A good setup is the one u like and it likes ur system( no conflicts) and give u a good ablance of security and usbility.

    Ur iamge backup is the most trust worthy thing.
    U need a good AV, a hardware FW and software FW if u want outbound.

    For solid protection, u might need a HIPS with execution , registry protection and file protection( one or all three features- depends upon ur need and liking) I am using EQS but keep in mind that HIPS give a lot of popups and it,s not easy to maintain them esp if u are installing uninstalling software often. In that case Sandbox/ virualization is the best way to go.
    Many choices: Sandbocie, GesWall, DfenceWall
    Returnil, ShadowDefender etc

    I will say ThreatFire is a user friendlty HIPS( behav blocker) that will not give u too many popups.

    There is alot of choice. Make a clean image of ur XP install and then try these software one by onem, this is the only way to know what,s best for you. Suggesstions can,t make ur final decisions.
     
  7. StevieE9

    StevieE9 Registered Member

    Joined:
    Jan 16, 2007
    Posts:
    139
    I think your underlying point is based on a myth. That any level of security - layered or otherwise - will guarantee you 100% protection on a Windows box.
    Your security software seems excellent to me. If they were all kept fully updated and you ran the stand alone scanners, then really you should be posting what the exact infection (name and file paths) was and remove it according to expert advice on an expert malware forum.
    You could also investigate how you got it, since there are many ways you could have got infected that virtually no security software will block if it was due to some net behaviour of yours.
    If you don't investigate those two things, then you can change your security set up and reinstall your OS until the cows come come home but it wont stop the same thing happening again.
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Regarding Returnil vs SteadyState: go with Returnil.

    One good thing about SteadyState is that it will ask you, when you try to restart/shutdown Windows, whether you want to save or discard the changes made during that session. This is much more convenient than Returnil, where you have to keep protection turned on 24/7 to protect you from accidental screwups. SteadyState, however, is noticeably less stable than Returnil. SteadyState requires the use of a cache file that eats up to 50% of your total HD space, and trying to reduce that amount resulted in a necessary reboot and a complete system freeze after said reboot for me. If you want to save session changes, you need to reboot twice. And finally, I noticed significantly more disk activity with SteadyState. Returnil, on the other hand, is completely quiet and unnoticeable.
     
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    See this thread for further details:

    https://www.wilderssecurity.com/showthread.php?t=189249

    It was a file called "magicisosetup.exe". I needed to burn an image CD, and a "friend" sent me this file. Later I saw that magicISO is a non-freeware program and that this was some sort of crack (or claimed to be one). Today I managed to find the exact same file on uTorrent, and downloaded it, to do some research on it.
    Uploaded it again to virustotal, and this time NONE of the scanners found anything. Not even the 4 that found it before. So I decided to run it, isolated with GesWall. Same cmd screen, now a bit longer.

    GesWall log had 3 entries (quoted by my memory, I uninstalled GEsWall and installed Returnil now):
    1.- ntvdm.exe ISOLATED from explorer.exe
    2.- ntvdm.exe DENY disk writing
    3.- ntvdm.exe DENY disk writing

    After that I deleted the file and restored to a few hours earlier.
    I'm still determined to reinstall XP, image the drive and rely on returnil from now on.
     
  10. StevieE9

    StevieE9 Registered Member

    Joined:
    Jan 16, 2007
    Posts:
    139
    Well it does suggest it is best never to trust a file sent from a friend unless you have first investigated it widely for its safety.
    It's totally cool for you to reinstall OS whenever and however many times you like, though in this case to what purpose I really don't know. But if it makes you feel better then that is totally cool, a bit like taking the sun - anything that gives us a feeling of well-being over and above any downside.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    There are lot of trusted freeware applications, I don,t think that u need to download a crack or ask some friend to send u an exe for it.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You've already found the cause of your infection, but it never hurts to read this excellent article done by Castlecops.
    The best answers can be found on GeSWall own site. Take your time to read and reread the concepts explained:
    GW's technology
    GW's access control policy
    GW's FAQ
    GW's docs
    Access control policy in action:
    ntvdm.exe is Windows 16-bit Virtual Machine, necessary to run DOS applications in XP.
    Two wonderful little freebies which should be more than enough for your image burning needs:
    ImgBurn
    BurnCDCC (direct download)
     
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I know...I wasn't looking for a crack... my cracking days are looooong gone now :ninja:

    I just asked him if he knew some software and he sent that file to me...:mad:
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I did not mean this.:) I know u got the file from ur friend by chance.
    Best way to search on this or some other trsut worthy forums and u could have found a lot more suggesyions for such a asoftware.

    Anyway we learn by our mistakes!
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You lowered your defenses because you trusted him. I'm much more cautious if my sister sends me a link by IM than if I receive a mail offering cheap Viagra.
    I can't trust the skills of my buddies and I trust them even less if they give me links and/or executables.
     
  16. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    In short, SteadyState has more capabilities, but Returnril is far more stable and faster.
     
  17. zonealarmforcefiel

    zonealarmforcefiel Lurker

    Joined:
    Oct 15, 2007
    Posts:
    4

    Another player in the sandbox/virtualization field is ZoneAlarm's new ForceField. It's still in beta and you can download it free from our site here: www.zonealarm.com/forcefield. It's super easy to use, looks out for other security risks (like phishing and keylogging), and keeps everything you look at private as well.

    Good luck!
    ~Lauren
    www.zonealarm.com/forcefield
     
Loading...
Thread Status:
Not open for further replies.