Some help needed

Hi all.

I don't trust my malware protection anymore (see my sig for details), as it seems my computer got infected yesterday. Since I don't trust my protection, I also don't trust that the removal was 100% or that I don't have other nasties fooling around in my laptop.

So I'm performing a full clean install of XP thumbd: last one was only 2 months ago and I didn't made an image of the fresh install).

I'd like some suggestions, right now I'm thinking of the following setup:

1.- Image of fresh install
2.- Image "1.-" + applications
3.- Incremental backups every 2 weeks

4.- Keeping NOD32
5.- Returnil

I'm also thinking of a behavior blocker. Is this really necessary with Returnil? I'm doing my research right now, since this is a new topic for me and I don't know much about them. If you could suggest some to try... I prefer freeware, but if a paid version is way better, that's ok. Right now I'm going to try NeovaGuard and EQSecure.

I also would like to know what is exactly what GesWall does and how does it work. Would it be a good addition?

How does Windows SteadyState compare to Returnil in terms of: configuration capabilities, ease of use?

Thanks

PD: the other way to go is linux, but PLEASE don't suggest that in this thread, as i'm already testing it

 

Heres what i do,
1. Install OS, make an image
2. Update OS, make an image
3. Install apps, make an image
4. Tweak settings, defrag, make an image

I wouldn't say a BB is necessary however i don't know if returnil is bulletproof. Having the extra security layer of a BB could be helpful should returnil fail.

Geswall restricts certain programs from accessing important areas of your computer. Personally i use defensewall which does the same thing, however its not free.

Steadystate works much the same as returnil and has similar features. I'd say its a little harder to use and i found it to be quite buggy on my system. One advantage it does have over returnil is the ability to revert changes after multiple reboots.

 

Hi

I have both (GW and DW) and DefenseWall is easier to use. Although Brian (of GW) is absolutely helpfull. GW is jus a bit faster than DW.

I am wondering how you got infected with Returnil on. ThreatFire free is a good ap. I personally do not see what is the use of having a virtualisation program and a policy HIPS sandbox. Ilya of DW is pretty clear about virtualisation, although Sandboxie seems to be as strong as GW and DW. I just bought DW and GW (for different PC's) to see which would be best. So far they are pretty much equal with DW being the one which is trouble free (DW once blocked the new DRM implementation which lost us some music files, but Brian reacted within two hours). GW is a litte bit faster that is why my son (Gamer) preferred GW on his old PC.

On all three PC's we only use a sandbox and a behavior blocker with no AV and we have never run into any trouble. I guess that PRSC (paid) is the user friendliest (and only choice on Vista64), ThreatFire is very strong, A2's IDS is available in a lot of languages. When you understand English very well I would choose the free TF.

When you have a maxtor or seagate you can use free image backup program (like Maxxblast). Syncback free is an easy to use backup program for your data files.

Regards Kees

 

Thats because right now I'm not using Returnil. I'll add it after the new XP install to avoid infections.

 

Okay I understand. When you are happy with Returnil you would not need a soft sandbox like GW or DW.

 

There is a long list of good security software. A good setup is the one u like and it likes ur system( no conflicts) and give u a good ablance of security and usbility.

Ur iamge backup is the most trust worthy thing.
U need a good AV, a hardware FW and software FW if u want outbound.

For solid protection, u might need a HIPS with execution , registry protection and file protection( one or all three features- depends upon ur need and liking) I am using EQS but keep in mind that HIPS give a lot of popups and it,s not easy to maintain them esp if u are installing uninstalling software often. In that case Sandbox/ virualization is the best way to go.
Many choices: Sandbocie, GesWall, DfenceWall
Returnil, ShadowDefender etc

I will say ThreatFire is a user friendlty HIPS( behav blocker) that will not give u too many popups.

There is alot of choice. Make a clean image of ur XP install and then try these software one by onem, this is the only way to know what,s best for you. Suggesstions can,t make ur final decisions.

 

I think your underlying point is based on a myth. That any level of security - layered or otherwise - will guarantee you 100% protection on a Windows box.
Your security software seems excellent to me. If they were all kept fully updated and you ran the stand alone scanners, then really you should be posting what the exact infection (name and file paths) was and remove it according to expert advice on an expert malware forum.
You could also investigate how you got it, since there are many ways you could have got infected that virtually no security software will block if it was due to some net behaviour of yours.
If you don't investigate those two things, then you can change your security set up and reinstall your OS until the cows come come home but it wont stop the same thing happening again.

 

Regarding Returnil vs SteadyState: go with Returnil.

One good thing about SteadyState is that it will ask you, when you try to restart/shutdown Windows, whether you want to save or discard the changes made during that session. This is much more convenient than Returnil, where you have to keep protection turned on 24/7 to protect you from accidental screwups. SteadyState, however, is noticeably less stable than Returnil. SteadyState requires the use of a cache file that eats up to 50% of your total HD space, and trying to reduce that amount resulted in a necessary reboot and a complete system freeze after said reboot for me. If you want to save session changes, you need to reboot twice. And finally, I noticed significantly more disk activity with SteadyState. Returnil, on the other hand, is completely quiet and unnoticeable.

 

See this thread for further details:

https://www.wilderssecurity.com/showthread.php?t=189249

It was a file called "magicisosetup.exe". I needed to burn an image CD, and a "friend" sent me this file. Later I saw that magicISO is a non-freeware program and that this was some sort of crack (or claimed to be one). Today I managed to find the exact same file on uTorrent, and downloaded it, to do some research on it.
Uploaded it again to virustotal, and this time NONE of the scanners found anything. Not even the 4 that found it before. So I decided to run it, isolated with GesWall. Same cmd screen, now a bit longer.

GesWall log had 3 entries (quoted by my memory, I uninstalled GEsWall and installed Returnil now):
1.- ntvdm.exe ISOLATED from explorer.exe
2.- ntvdm.exe DENY disk writing
3.- ntvdm.exe DENY disk writing

After that I deleted the file and restored to a few hours earlier.
I'm still determined to reinstall XP, image the drive and rely on returnil from now on.

 

Well it does suggest it is best never to trust a file sent from a friend unless you have first investigated it widely for its safety.
It's totally cool for you to reinstall OS whenever and however many times you like, though in this case to what purpose I really don't know. But if it makes you feel better then that is totally cool, a bit like taking the sun - anything that gives us a feeling of well-being over and above any downside.

 

There are lot of trusted freeware applications, I don,t think that u need to download a crack or ask some friend to send u an exe for it.

 

You've already found the cause of your infection, but it never hurts to read this excellent article done by Castlecops.

The best answers can be found on GeSWall own site. Take your time to read and reread the concepts explained:
GW's technology
GW's access control policy
GW's FAQ
GW's docs
Access control policy in action:

ntvdm.exe is Windows 16-bit Virtual Machine, necessary to run DOS applications in XP.

Two wonderful little freebies which should be more than enough for your image burning needs:
ImgBurn
BurnCDCC (direct download)

 

I know...I wasn't looking for a crack... my cracking days are looooong gone now

I just asked him if he knew some software and he sent that file to me...

 

I did not mean this. I know u got the file from ur friend by chance.

Best way to search on this or some other trsut worthy forums and u could have found a lot more suggesyions for such a asoftware.

Anyway we learn by our mistakes!

 

You lowered your defenses because you trusted him. I'm much more cautious if my sister sends me a link by IM than if I receive a mail offering cheap Viagra.
I can't trust the skills of my buddies and I trust them even less if they give me links and/or executables.

 

In short, SteadyState has more capabilities, but Returnril is far more stable and faster.

 

Another player in the sandbox/virtualization field is ZoneAlarm's new ForceField. It's still in beta and you can download it free from our site here: www.zonealarm.com/forcefield. It's super easy to use, looks out for other security risks (like phishing and keylogging), and keeps everything you look at private as well.

Good luck!
~Lauren
www.zonealarm.com/forcefield