What is your security setup these days?

Bitdefender's too heavy for my box... unless it has had a MAJOR overhaul since I've last looked at it.

Nah, if I decided to look at a real-time AV again it'd have to be something near the footprint of an Avira/Avast with file guard/shield only. In fact I think I may even be able to disable the real-time file components and use a GP tweak to get it to fire only when new files are introduced to my box... making it uber light. It could hit up things automatically that come in via removable drives/USB, while I keep VTHC in place for my browser.

Of course it's not an issue really since I have removable/USB sandboxed and would shell scan anything before putting it on my box. But still... thinking about it. The Script Shield of Avast also, in case I allow a script through NoScript and it proves to be a mistake. But again... sandboxed.

Man... Sandboxie really takes away any need to be creative and play with my setup like I used to. I "almost" want to remove it on grounds it's too effective, and makes me bored.

 

LOL

I'm debating on adding Applocker to my setup as can be seen in my signature. What do you guys think? Personally, I feel that Sandboxie is extremely effective BUT, for a few things I'm using it with, it would be easier to whitelist with Applocker and not run them Sandboxed. Ofcourse if I end up adding Applocker for this reason, I might as well ditch Sandboxie then. Gah. So many possibilities.

 

Couple questions Kees. In your attached image, which I think you've said previously, it says: "SRP: Set Default Level to Basic User ..." But AFAIK, the "Basic User" level just blocks stuff in Win 7, right?

What does that do? With UAC, that stuff is already at Medium Integrity, so does setting Medium explicitly on the files prevent them from ever elevating or something?

 

@DR_LaRRY_PEpPeR, Actually, IIRC, the Basic User option in SRP doesn't do anything in 7 and Vista since UAC has been implemented and it was just carried over from XP. Because of this, I think he meant that it was applied to standard users. As for the integrity levels, I think he meant low, as that was the trend on his old configurations but you never know what Kees will throw out there.

EDIT: Actually, I just checked and the Basic User option in SRP has this description: "Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users." So if you enabled this on XP, wouldn't this somewhat be the same as having UAC enabled on an administrator account in Vista/7? Of course, you wouldn't have the virtualization that UAC has but the access and integrity levels would work the same, no? Also, since "Basic User" and UAC appear to do similar things, wouldn't that mean you could somewhat implement UAC functionality in Vista/7 with this option while having UAC turned off? I don't know why you would do this but I'm just wondering.

 

Hey Luciddream, I know the feeling. I being using the same setup for over two years, when I feel a little bored because the setup don't change nothing, I fire up SD and try something under it. For example, last night I played with the SBIE beta under SD in my XP.

To me, coming to this thread and seeing people talking about security products they are trying is like seeing children talking about playing with toys that I am not allowed to play with.

Bo

 

Bo...using Sandboxie is like being the Maytag service man...nothing to do. Hope you are doing well!!!

 

Funny, and true. But the operative word is "almost", right?
Sandboxie's presence may at first create boredom, but one soon realizes and appreciates the extra spare time it magically produces. More time to rediscover other aspects of life... that should be SBIE's slogan!

 

Well said my friend

 

Page, my friend, you are right on the money. Having that spare time to do other things is one of the great benefits of using Sandboxie.

Bo

 

A few months after I started using SBIE, I actually did uninstall SBIE for a few days. I did it because I was bored. Before SBIE, I was doing scans all the time and cleaning an infection once or twice a year, that made things exciting. Right? Well, all that changed when SBIE came around. Now, I don't do any scans, don't get infected but have the extra time that Page mentioned to do the things that I really enjoy doing. Thats what SBIE is all about.

RR, take care brother

Bo

 

Yep.
I feel the same way. I've found a setup that is light and strong. I'm finding it kind of boring. I keep trying to add things but realize that I really don't need them. I still find time to try different things out though. You have to keep up with the times.

 

the feeling you describe is the same feeling i get when i use a linux machine! LOL

 

Yes no security needed whatsoever on one of those.

 

Yeah... the "almost" was a very key word. I have no desire to go back to the way things were.

Still, there are times I consider putting on a real-time AV again. But then every time I run an on demand scan with something, and see how sluggish my box is afterward, I come to my senses. I have to reboot to get things back to normal.

 

sandboxie makes me rarely post on wilders

because I don't have anything to share....

and I just love the way it stop me from downloading av definition, then use the precious bandwidth for fun

 

Windows 7 Ultimate 32 bits with internal FireWall also controlling outbound traffic, Norton DNS set at router with SPI FW

Restrictions for Everyone (including Administrators)
- UAC: set to full and deny elevation to all unsigned executables (e.g. Media Player Classic , 7-ZIP)
- GPO: Deny installation of unsigned drivers and active-X, disabled autoplay and execute access to USB
- ACL: Deny execute for everyone on User Shell Folders, Public and Internet/Download folders
- EMET: set system wide DEP, SEHOP, ASLR to maximum

Restrictions for Users/Medium Integrity Level processes
- SRP: Deny execute for all files (outside Windows and Program Files) and all users (except Admins)
- GPO: Locked IE10/Chrome/Outlook settings, hardened logon, shell and HKCU-autostarts
- ACL: Added Mandatory Medium Level Integrity to Outlook E-mail and Foxit PDF-reader
- EMET: added Chrome, IE10, Outlook, Foxit, 7-ZIP and Media Player Classic

Restricted by Low Rights/Intergrity Level sandbox
- IE10: for on-line banking only (IP/SSL FireWall filter), Keyscrambler free (only admin approved add-on)
- Chrome: for daily browsing incognito, click to play flash, allow javascript only from COM, NL, EU, ORG, NET and EDU domains

On demand
HitmanPro free

Lazy admin security practise: first - only download from known sources, second - prevent unintented installation, third - only allow signed software to elevate (not blacklisted by 2 IP-filters and 5 AV-engines)

 

Looks like an awesome balance of security & usability/convenience Kees. Which IMO is the desired goal no matter what OS you're using. When you come to find you're blocking yourself, and fighting your own restrictions every step of the way... it's time to ease up a bit.

Sweetest Win7 setup I've ever seen.

 

Kees you should make an e-book for "Lazy admin security practise"
step by step instruction.
I'll definitely buy it, if the price is right

 

The only thing that could make it better is Sandboxie... but I know he's anti-3'rd party. He has an integrated sandbox for Chrome, but for other apps... SBIE is just so sweet. It's practically 2'nd party because in a way it takes advantage of measures already in place on his OS & CPU (virtualization, Dropped Rights, isolation).

Maybe even just throw MSE/Defender on there too. It wouldn't break the 1'st party app rule and would probably add no footprint. But some attack surface. And since you probably shell scan new files from any vector with HMP... unneeded. But just saying, a 1'st party possibility.

And/or use VT Hash Check instead of Hitman Pro. 45 engines instead of 5, and it's quicker. Pops up quicker & no 10 second countdown after. Trid analyzes unknown files, and/or you can upload them to VT with 1 click.

Just food for thought... far be it from me to question your setup, of all people.

 

Yeah, I got a lot of my concepts for the Safe Admin I run on XP from him. And also back when I ran a real-time AV, I believe it was he that taught me how to make it uber light. Make it so that I could even disable the File Shield and still have it autofire for new files... I just mentioned this tweak yesterday actually.

Dude is the king of integrated hardening. He, Sully, HungryMan, wat, Dgiji, and Page42 have been God sends to me over time... and now 0strodamus is moving himself to the front of the list in a major way... helping me to get ASLR, SEHOP, and EMET app mitigations in place here on XP without having to install .NET FW.

If I can pull it off I'll be so happy.

 

Got no problems with SBIE, since Tzuk respected Low Rights container of Chrome, I also congratuled him on his forum with it. I think it is amazing three of the best sandboxing/policy container aps were russian (GeSWall, DefenseWall and Sandboxie).

 

My new setup is: NoVirusThanks EXE Radar Pro + SpyShelter Firewall + HitmanPro + OpenDNS
It's so light...

 

Isn't GeSWall from Luxembourg?
http://www.gentlesecurity.com/aboutus.html

 

Hey Kees, Tzuk is from Israel.

Bo

 

Wasn't Geswall's main developer/founder Andrey Kolishchak (now with Beyond Trust?). I'm sure I saw something once suggesting he is originally from Russia. Certainly a Russian name.

The talented Mr Tzur is from Israel though.