What is your security setup these days?

Discussion in 'other anti-malware software' started by dja2k, Dec 15, 2005.

  1. Rigz

    Rigz Registered Member

    Joined:
    Jun 28, 2015
    Posts:
    65
    Location:
    Earth
    Haven't seen too much for Macs on here so...

    OS X 10.11.1
    Standard user account and a separate Admin account for administrative tasks
    OS X Firewall enabled
    OS X FileVault encrypted system drive
    VeraCrypt for encrypted containers and external drives
    Avira Antivirus
    Little Snitch
    Tunnelblick
    Modified hosts file (http://someonewhocares.org/hosts/)
    Ghostery
    HTTPS Everywhere
    OpenDNS and privacyfoundation.ch when I'm not using a VPN's DNS
     
  2. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    It sounds like you use Outpost. Agnitum still relies on windows to auto-inject that file using AppInit / a registry entry:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""

    Starting around the time Windows 8 was released (maybe earlier?) MS recommends devs NOT use AppInit any more and I would not be surprised if it was removed entirely in a future build of Windows: https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx

    So far I haven't found anything better than SysInternals (Now owned by MS) AutoRuns combined with Process Explorer to figure out what's loaded. Maybe the NVT program Kernel Mode Drivers Manager for kernel modules (seems to show stuff LoadOrder doesn't, eg dlls) but that wouldn't help in this case.
     
    Last edited: Nov 16, 2015
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
    Thanks, Syrinx. I forgot Autoruns might show something.
    Yes I use OSS mostly, Private fw sometimes. I was answering somebody's question about 64bit HIPS and I guess the context didn't come through.
     
  4. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    Sandboxie and NoVirusThanks EXE Radar Pro.
     
  5. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,838
    My security setup

    Real-time:

    SecureAPlus
    Blue Coat K9 Web Protection

    Windows:

    Windows Defender = Off
    Windows Firewall = On
    Windows SmartScreen = On
    Windows Update = On
    UAC = Default
    Security & Privacy tweaks applied

    Network:

    Router NAT
    Manual configuration/Hardening
    Verisign Public DNS

    Browser:

    Mozilla Firefox
    DuckDuckGo
    Adobe Flash = Ask to Activate
    uBlock Origin
    Security & Privacy tweaks applied (about:config)

    On-demand:

    Shadow Defender
    AdwCleaner
    Kaspersky Virus Removal Tool
    Malwarebytes Anti-Malware

    Other Tools:

    CCleaner
    PrivaZer
    Autoruns
    O&O ShutUp 10
    Spybot Anti-Beacon
    VPN (Occasional use on mobile devices)​

     
    Last edited: Nov 17, 2015
  6. old school

    old school Registered Member

    Joined:
    Nov 14, 2015
    Posts:
    29
    Location:
    Spain
    Hi all.

    Windows 10 64 PRO + EAM + Webroot +Crystal Security + GlassWire Beta + WinPatrol free

    Have a Nice day
     
    Last edited: Nov 17, 2015
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,505
    Location:
    Slovenia
    Have a nice day to you too, @old school and welcome to forum.
     
  8. ifacedown

    ifacedown Registered Member

    Joined:
    Oct 12, 2013
    Posts:
    121
    Location:
    Philippines
    ESET NOD32 9
    McShield

    Windows Firewall
    K9 Web Protection
    UAC default

    Zemana Antimalware 2 w/ Realtime Protection (Yes! Realtime! I tested it and working!)
    Emsisoft Emergency Kit 10
    Shadow Defender

    Autoruns
    CCleaner
     
  9. old school

    old school Registered Member

    Joined:
    Nov 14, 2015
    Posts:
    29
    Location:
    Spain
  10. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I just found out it as well. :)
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Using AppInit_DLLs registry for dll injection at boot time is a security risk. One of the oldest methods of malware dll injection is to load its dlls in that registry key. You will receive a warning message in your WIN event log that dlls are being loaded but monitoring which ones are doing so would be abandoned over time since it would be assumed that only Outpost's dlls are loading.

    Question is if Outpost's HIPS monitors AppInit_DLLs registry key to ensure only its dlls are loading?
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    hi all I really missed DefenseWall,i was out of the net for long time and I was hopping to see a defensewall 64 bit version.o_Oo_Oo_Oo_Oo_Oo_O
     
  13. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
    Do these pics answer your question?
    AppinitWatch1.png
    AppinitWatch2.jpg
    If that value is not "" it means Outpost watches it, right? (I'm learning as I dig out the info for you, in case you haven't guessed) If yes, does it mean no other can load?
     
  14. JohnMult

    JohnMult Registered Member

    Joined:
    Mar 26, 2012
    Posts:
    125
    Location:
    Greece
    Setup I called it "NoMoney"
    1. Windows XP Home (Admin Account)
    2. Malwarebytes Anti-Exploit
    3. NoVirusThanks EXE Radar Pro (Beta)
    4. Chrome starts with DropMyRights (ublock Origin, LastPass)
    5. CryptoPrevent
    6. Yandex DNS (Safe) on router
    7. K9 Web Protection
    8. Unchecky
    9. 1806 registry trick (Thanks Kees)
    10. No Java
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    LoadAppInit_DLLs registry field just controls whether dll loading from the AppInit_DLLs registry field is allowed. A dword value of 0 = no; a value of 1 = yes. If you check the LoadAppInit_DLLs registry field, it probably is set to 1. Outpost is monitoring the AppInit_DLLs registry field directly for any changes to it.

    One recommendation I make for WIN 7 users is to change the RequireSignedAppInit_DLLs registry field from the default dword value of 0 to a value of 1. This will ensure only signed dlls are loaded from the AppInit_DLLs registry field. I assume your NVidia and Outpost dlls are signed that currently reside in that registry field.

    Note: On some WIN 7 builds, the RequireSignedAppInit_DLLs registry field is missing. In that case, a new like named field must be added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key with a dword value of 1. I assume you know how to properly edit the registry. If you don't, then ignore this recommendation.
     
  16. Windows 10 Pro 32 bits Desktop (G3240 CPU 4GB RAM 64 GB SSD 2x500GB HD)
    1. Disabled autoruns, 16bits, cmd, scripts, shared, offline, sync and remote
    2. Deny elevation of unsigned executables, internet apps in AppContainer*
    3. Block active content in trustcenter, block third party with uBlock0
    4. WFW blocks in-and outbound connections using Open DNS URL
    5. Deny execute Software Restriction Policy for all users/files

    Safe Admin policy: 1=reduce surface, 2=restrict rights, 3=mitigate threats, 4=filter internet, 5=deny execution
    note: Chrome using its own low/untrusted rights sandbox, reading emails in plain text in Outlook 2007
     
    Last edited by a moderator: Nov 22, 2015
  17. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
    LoadAppInit_DLLs = 1.
    I don't see NVidia in the key. EDIT: ignore this line as I misunderstood something.
    Outpost and NVidia drivers in system32 are signed. Why did you pick NVidia, there's intel, realtek, others...
    RequireSignedAppInit_DLLs is missing. I'll add it. Makes sense. Restore image if it breaks the laptop.

    This thread is mostly about users' setups. I feel out of place doing Outpost details at this point (I love it, I'm learning). It started with just answering a query one page back(#37245), but it might not be wise to continue in this thread. Suggestions?
     
    Last edited: Nov 18, 2015
  18. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    73,267
    Location:
    U.S.A.
    Correct! Let's Stop All the Outpost Discussions Here.

    There are Recent Outpost Threads in the Firewall sub-forum. Continue Your Discussion There. Thanks!
     
  19. Ro4dRuNn3r

    Ro4dRuNn3r Guest

    Changed to what is in my signature... No complaints so far. :thumb:
     
  20. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Aren't you taking this obsession with "Windows Security" a bit too far? I almost never see you post anything about anti-malware tools anymore. Come on, this ain't fun anymore. :D
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    This is exactly what I'm using at the moment, but the plan is to add HIPS and perhaps anti-exploit. I already used MBAE Premium, but combined with ERP it gave me shutdown problems. And I'm reluctant to try HMPA, because of all the issues that are posted.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Little Snitch looks kinda cool.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    Not had any problems using HMPA with (light usage of) SBIE, and ERP. Only one small issue, but that is due to using WSA. Maybe give it a trial?
     
  25. You are right. I have tweaked this safe-admin setup passed the limits of where I am enjoying it myself. I am done with third party security and security in general, reducing my contribution to Wilders to a boring securing windows niche.

    I also stopped throwing malware at my desktop setup, because my friend (a malware reverse enginer) moved abroad (cutting me off from the honey pot collecting with new in the wild malware samples). The public available malware is not able to pass the combo of my hardened Windows with Chrome sandbox.

    But have a look at the 'other malware section" there are really few HIPS-based applications left to play with.

    Re-HIPS might be a nice free policy based HIPS, but AppGaurd (paid) is king of the mountain. Same applies for Cybergenic Shade, it has an even higher hill to climb to compete with Sandboxie in the application virtualisation market. Both might face hard time in consumer market since all windows Apps run in AppContainer and office is available as free cloud application (making added value of guarded apps questionable) and Chrome Sandbox (Chrome and AppContainer-apps making added value of Sandboxie questionable).

    The most (free) interesting security programs at the moment are Bouncer and Smart Object Blocker. But they are power users tools, due to limited or lacking using interface their user-base will be limited. Since I already have a Windows 10 Pro version, the added value of Bouncer/SOB is limited for me personally.

    The improvement in security in general sort of takes away the fun of throwing rocks at your own window(s) when you know it is without risk. For me the balance shifts from "when it is not broken, you have not tried hard enough" to "when it is not broken, don't fix it". When I don't break or fix things, there is little to post about :'(
     
    Last edited by a moderator: Nov 19, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.