What is your security setup these days?

Discussion in 'other anti-malware software' started by dja2k, Dec 15, 2005.

  1. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,634
    update:

    added
    removed

    Resident:

    nod32
    looknstop
    regrun gold
    proxomitron
    SnoopFree Privacy Shield
    SpywareGuard
    HostsMan (with MVPS Hosts, Mike's Hosts, and Block Adverts)

    On-Demand:

    ewido anti-malware
    ad-aware SE

    Other Security / System Hardening:

    nLite'd Windows XP (with service tweaking based on TweakHound's guide)
    RyanVM's Windows XP Post-SP2 Update Pack
    BugOff
    Harden-it
    Samurai HIPS
    SafeXP
    Windows Worms Doors Cleaner
    process explorer
    firefox extensions: javascript options, noscript, permit cookies, and netcraft toolbar
     
  2. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Actually you are planning to pick the best of them, not run all of them!

    Imagine if nevoguard is a real star, but because you run it with PG free, you get some problem that *seems* to be caused by nevoguard but is actually due to some incompatiability with PG free. This could lead you to reject Neovguard for the wrong reasons.

    What ever gave you that idea? I'm not impressed by people who think they can judge whether HIPS A or B can improve resistance more to advanced malware though. :)

    Well they might of course, but who knows? Is nevogaurd truly better than PG? :)


    Well I suppose it makes more sense to pretend that you know what "windows messages" is , and why blocking it is important. :)

    My dear naive Rasheed, leaving aside whether it is true antimalware is getting more advanced, can't you see, it is to the advantage of people who hawk security software to convince consumers they *need* such features?

    Are you truly so innocent about the ways of marketing? It's a time honored tradition in the computer security industry for 'experts' to talk about some new dangerous threat, which just happens to be covered by a product they are hawking....

    Ah the old insurance analogy. When you buy insurance for a car, or life, presumably you are able to estimate the likelihood and damages . I'm just wondering if you can do the same with 'HIPS'. Probably not.

    Good enough for what? To determine if product A gives better resistance to advanced malware then product B? I don't believe that, do you?


    A pity you are running away. :) We could both learn so much...
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    Like I said before, all of these products have their strenghts so if possible I would like to use them all. If they can´t be used at the same time I will have to make a choice.

    I have already explained my view on this matter, I believe that the more you protect the safer you will be.

    I´m sure that some malware out there will try to achieve a certain goal by using "Windows Messages".

    This is true to a certain degree, but a lot of vulnerabilities in the past (mainly in IE) have proven that we need more advanced antimalware tools.
    Well I did, I said that the chance is not that big, but it´s still possible.

    Good enough to determine if an app does really work and can protect against malware or not.

    I´m not running away but like I said before we both made our points plus it´s no use if I have to keep repeating myself. I don´t see the point of this discussion any longer.
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I wouldn't say that adding more HIPS makes you any more secure. It may even make you more prone to just allowing things without giving them enough consideration, which would actually decrease your security. If it was true then how could it be that one person with nothing more than a firewall could possibly be more secure than another person running ten different apps? In the right hands, HIPS can be a great tool, but the reality is that most people do not know how to interpret actual malware alerts. Malware is usually made to look like legitimate system files, and most users aren't going to know the difference. Perhaps if you just got in the habit of blocking everything, but then you'd probably be better off just setting up a limited user account. It also doesn't do you much good to have an alert about a single action without knowing the rest of how that process is going to behave. Maybe with lots of alerts it may become obvious that all the things that it's doing amount to something bad, but by that time it's too late, and you'll need a scanner to clean it up.

    This is also why I don't think that running leaktests and other demonstration trojans are a real way of testing the effectiveness of your apps, and I think that many times these tend to distract from the overall picture. Which would be better, something that stops in-memory attacks, like DLL injection/hooking, thread injection, etc., or something that only stops file system events? The problem is that you can't really say. The app that covers file system events could stop the malware before it ever gets the chance to execute, so it wouldn't even get the chance to set a hook. Leaktests may be good at testing that apps will stop the things that they claim to, which is great for beta testing, but it really doesn't do anything to indicate the overall security of your system. It's one thing to download something consciously pretending that it's malware and going through the routines with full awareness of what's going on, it's quite another to be faced with the covert installation of real malware.

    In order for such things to be effective, alerts would need to be the exception, rather than the rule.. that is; rare. Alerts would also need to clear, and it would need to be easy to understand both what the alert is saying and why it's prompting you. That's where apps that specifically identify malware have a tremendous advantage. If you have a good scanner, you can pretty well trust what it's telling you, and even the worst of scanners isn't going to have as many "false positives" as a HIPS.

    So why do HIPS programs keep adding features, when the existing set of features would stop malware before they got a chance to trip off the alerts from the new features? Most likely because their customers believe that adding more features makes them more secure. Simply put - demand. Demand drives all sales.

    So how do you test your security? IMO the best way to test your security is with online Browser Security Tests, such as http://bcheck.scanit.be/bcheck/, online port scanners, and the Eicar tests (especially the email ones). When it comes to trojans, no amount of HIPS are going to save you from yourself.

    The best way to increase your security is to learn how to use what you have to it's fullest. Learn how to configure your firewall to the max (nobody seems interested in this anymore), turn off the things you don't need, use an alternate browser and email client, configure that email client for better security, learn how malware is distributed and avoid them, and learn all about your computer (- that's probably the biggest one. Security, for me, was a good way to get into learning about the entireity of the computer, and that's what has done the most for my security.), but don't get an app that you're just going to click "allow" on every time it pops up. If you want more advanced security, try getting something that will give you information on how a file is going to behave so that you can review all the information. At the very least you can use Google.

    Lastly, as to how to find out what kind of tricks are really being used and what to look out for, etc., try keeping up with the antivirus sites. They almost all have a "Top 5" (or ten, or so) recent threats that give descriptions of what the top spreading malware is doing, and how it does it. This will give you the most insight in to what's going on out there, and it won't take very long to go over them. I'm really surprised, actually, that more people don't do that around here. I might have to start posting this kind of stuff.
     
  5. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    So quantity is all you look for?

    What goal? Can it be a "good goal"? If you don't know what it is, how do you know you are making the right decision to a prompt about it?

    You are still not seeing my point.

    If it's a one in a trillion trillion shot, it's still worth spending time and effort on stopping it?

    Yes, I think it's a waste of time continuing, maybe Notok can talk more sense into you, but I doubt it...
     
  6. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Another good post Notok.

    When you say "most people" who do you mean exactly? Do I count as "most people" ? Do you? Does Rasheed? Or do most members here don't count as "most people" ? :)

    Exactly, exactly! But I suspect Rasheed's stand is "Why choose, let's do both!" :) . Heck, the more things you are alerted about (whether they really have a high chance of indicating 'badness') the happier Rasheed is.

    Blocking "Windows message" is a must have, why? I don't know, it sounds like a goal malware does. :)

    Well the ultimate solution would be a system that alerted you on any file write, heck any file READ on your system! :)


    I agree, ideally, HIPS should monitor very specific and very unusual behavior that legimate software doesn't do so that when it alerts it is almost certain that something is up. Is that really possible? I don't know.

    As for the "why it is prompting you", that seems even more impossible, unless you are some sort of programmer familar with windows api that is.

    What exactly is this "windows message" thingie that Rasheed thinks is so important?

    But that is the secret of HIPS, they don't have false positives! And also HIPS gives you the false illusion that you have a chance of stopping bad stuff. To do that, we alert on everything! If you let it through by clicking yes, it's your fault, we already alerted you!


    As you already mentioned there is a big difference between running off to test some leak test that you already know is bad, and in a real world situation.

    It's kind of like people using whitelists exes, claiming that they are protected because the moment they click on the test executable, they click no to the prompt and it doesn't start.

    Of course, everyone knows that you are supposed to let the test run first to simulate real world situation where you actually run it, but is there really such a difference?

    You already know it's malware, so ANY prompt that occurs immediately you click no. :)

    Definitely. HIPS is pretty funny, you can easily think of a million behaviors to look out for, leading to more alerts, but how useful are these prompts? No one knows.

    Pretty funny isn't it, how some people running all sorts of HIPs, don't know how to use simple rule based firewalls. When you think about it, firewalls are pretty much HIPS except for network conntections.


    Notok, I think most people here, aren't worry about such stuff.

    They are worried about "advanced malware" as Rasheed puts it. They worry about cutting edge, theorical stuff, invisible rootkits , stuff that hides in the bios , zero days (whatever that is), superhackers etc.

    The problem is of course, it's almost impossible to judge how likely or dangerous such things are.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    No it´s not only about quantity, it´s about the features that I think that are important. Also if an HIPS is way too intrusive, alerting you about everyting that´s going on I would choose not to use it.
    I have already answered this question twice. And if you think that the chance is so small, why are you using any anti-malware tools then? Better yet what the heck are you doing on this forum? The only thing that you seem to be good at is telling people that they don´t really need to use HIPS, a stupid thing to do on a computer security forum, nobody is going to listen to you anyway.

    No this is not possible, legitimate software can also perform certain suspicious actions so it´s all about trust. If you don´t trust an app you shouldn´t allow it to do dangerous stuff like installing global hooks or drivers for example.

    I´m sorry to say but you´re the last one who should talk about sense. I´ve also read some of your other posts and frankly you´re acting a bit like a troll.
     
    Last edited: Mar 23, 2006
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    @ Notok

    Of course it´s true what you wrote but personally I feel like I have enough knowledge (eventhough I´m no expert) to know how I should interpret these HIPS alerts. Newbies might be better of with more "silent" HIPS like Prevx1 and Cyberhawk.

    About testing security, in the past I´ve often tested IE exploits and most of the time they would not work because of my system hardening. And at the moment I´m also installing real malware in VMware to see how HIPS react. ;)
     
  9. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Right, the more 'features' the better right?

    "I think it´s a good thing to cover as much "entrypoints" as possible, because the more you protect/harden your system the less chance that you will get compromised."

    Which features are more important? can you tell ? If not, isn't it about quantity?


    For fun? For blocking less "Advanced" malware? :)

    Sounds to me you think computer security is all about using and testing security products (which i do btw but that's not the point). That's very funny , Rasheed. But a common misconception here I suppose.

    Yet another assumption, security is about using HIPS. Or that everybody here thinks you have to use HIPS to be safe. :)

    if you don't trust an app, why the hell are you running it in the first place? Just cut out the middle man and don't use it in the first place? :)

    ~Snipped Personal Comment~ dog
     
  10. dog

    dog Guest

    OT/Personal post removed

    Seeing as we can't seem to keep the "personal attack" stuff out of this thread ATM. It will be closed for 24hrs. If these type posts continue when this thread is re-opened, it will be closed permanently. For the benefit of all, I hope this won't be the case.

    Thanks in Advance

    Steve
     
  11. dog

    dog Guest

    This thread is now re-opened. Please keep in mind the above post.

    Thanks for your co-operation

    Steve
     
  12. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,751
    Location:
    Toronto Canada
    Router

    NOD32

    Ewido with realtime monitor enabled.

    That's all folks.
     
  13. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Latest revisions as of 3/23/06:

    Resident:

    BOClean
    DefenseWall HIPS
    Look'n'Stop
    Netgear RP614 v2 Router w/NAT & SPI
    NOD32
    RegRun Platinum 4.5

    On-Demand:

    Ewido(free)
    Sentinel
    Spyware Doctor
    Spy Sweeper

    System Hardening:

    Applied manual system hardening tweaks
    Disabled most WinXP SP2 services
    Harden-It
    Removed Netmeeting
    Removed Windows Messenger
    Samurai
    Windows Worms Door Cleaner


    Peace & Love,

    CogitoErgoSum
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Although the comments were directed at DA, and I can't speak for him (although I doubt he'll disagree), I think it's important to realize that at least what I'm saying isn't that behavior blockers are bad or should be avoided, but that they need to be kept in proper perspective. There are posts around claiming that they're more effective than scanners and that they should be the first line of defense, etc., and still get recommended to newcommers that wouldn't really be able to use them effectively. Many times after installing these programs, people will feel that their system is far more secure than it could ever be otherwise, not realizing what is necessary for such programs to add any level of real security, which can sometimes do more harm than good. The same people would probably not feel comfortable using HijackThis to spot malware on a system, and behavior blockers require the same level of expert knowledge.

    There are some behavior blockers, granted, that make things a lot easier for the non-expert, and not being an expert is by no means a bad thing. There are also other reasons to use such apps, I learned a tremendous amount about Windows by using them, especially beta testing, specifically because it made the system harder to use. At some point, though, I realized that with things like Trojans that get bundled in with other software, behavior blockers are really no good because you have to turn them off when you install something, or if you leave it on then by the time you realize that something is malware then it's already had the chance to dig in enough that it's still going to be just as difficult to deal with at best, and at worst the botched install hoses the system worse than if it had completed the infection. They are great tools for system control and catching the unexpected, but there are also lots of other ways to deal with the unexpected.

    When it comes to features, my point on that is that we don't just need MORE points to alert on, but better and more clever ways. While the 'bad guys' are getting more clever in the ways that they infect systems, it seems like most of the industry is just adding more to the things that have been around for years, there's little true innovation. Instead of going with the "more is better" method, there needs to be more intelligence applied to detection methods that can provide good security for anyone and close the gaps in traditional security solutions. Some companies are starting to do this, but the overall trend seems to be to just rehashing the same old methods that have been around for quite some time, methods that have already been proven to be ineffective. In the end, we have to demand and expect more.

    After all, isn't that the point of threads like this, to see what new and clever ways people may have come up with to secure their system?
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    @ Dog Instead of closing the thread I think it´s better if all these posts were moved to a separate thread. I already sent a PM to a mod but I got no response.

    @ Devil Advocate (DA) I missed the personal attack so perhaps you can PM me. Don´t want to miss all the fun. ;)

    A general comment: I think some of y´all are underestimating people, personally I don´t think it´s that hard to figure out how to protect your system, just like it isn´t that hard to learn how to use a certain tool (how to configure, how to deal with alerts), it´s not rocket science.

    Why I perhaps got a bit personal is because of the fact that I got the impression that DA is trying to say "why switch from HIPS" or "why try to test them, you and I are too stupid anyway". Well speak for yourself. And if you think people are paranoid, guess what, we really don´t care. Also to stay on topic, perhaps you can post your setup, DA?
     
    Last edited: Mar 23, 2006
  16. Tonia

    Tonia Registered Member

    Joined:
    Mar 22, 2006
    Posts:
    7
    Location:
    Dreamland
    Hai everybody.

    I have: Nod32
    Ewido realtime disabled

    Spybot S&D no teatimer
    Adaware SE no adwatch
    Spywareblaster
    Winpatrol

    ZoneAlarm
    Ccleaner
    Firefox

    That looks a lot to me,but it works fine :)

    Greets Toni :)
     
    Last edited: Mar 23, 2006
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    @ Notok

    I agree, even with HIPS you might still be able to get hit. But personally I´m very excited by the new developments, like you said before you can actually learn a lot about your PC and can get more control over your system with these new HIPS tools. At least it´s better than the past were we only had an AV/AT to rely on, that´s my point of view. :)
     
    Last edited: Mar 23, 2006
  18. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    hi all

    linksys wrt54gs v2 hardware router/firewall nat & spi
    zonealarm free v6
    nod32 v2.5
    msas beta 2
    spybot
    ccleaner
    lavasoft free

    thats mine :thumb: :thumb: :thumb:
     
  19. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Strange request Given that the post Dog deleted was yours. :)

    For sure. But your goal is to protect against "advanced malware", right ? :)

    Is it rocket science to know what "windows message" is, and why and when to block them? :)

    Oh sure, using the tool (wrongly) is easy enough, once you get pass all the system instability that comes with running half a dozen HIPS. But I doubt if you really know if all those HIPS help you resist 'advanced malware' which you so fear....

    I think some people are overestimating themselves. It's one thing to know about basic security precautions and to install and run software yes. Any fool can do that. But yet another to pretend to themselves they know what HIPS is best to 'resist advanced malware', when they can't even tell me what exactly is being monitored.

    QN:What exactly is this "Windows message" that is so important to block that Rasheed thinks is important in ZA pro?

    ANS: "I´m sure that some malware out there will try to achieve a certain goal by using "Windows Messages"."

    Great answer! Windows messages is something that some malware tries to achieve?? ;) Do good software try to achieve that?




    Well I have given you ample opportunities to prove that you know what you are doing, but to be honest your answers about what windows message is, and why it is important to block, don't give me any confidence you know what you are doing. Sorry.

    Which setup?
     
    Last edited: Mar 24, 2006
  20. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    No I don't.

    But as well meaning as your lecture is, I doubt it's sinking in. A lot of people here think they know more than what they really do. So when you say "none-experts" don't really benefit from it, they think it doesn't include them (it definitely includes me), even though if pressed they say they are not experts.

    Oh sure, read Wilders for 1 year or so, and you know all the buzz words, "windows message", "process termination" ,"leak tests", etc, and suddenly you are qualified to tell which security software can block "advanced malware" even though you don't know what "windows message" is, what it does, how dangerous it is, how many malware use it etc. :)

    No, No more is better. Because we can't tell which feature is important, we load up on everything. :)
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    @ DA

    Yes that´s strange indeed, since something (Snipped Personal Comment) was removed in your reply not mine. Another OT post was also removed but it wasn´t mine.

    But the bottomline is that you´re trying to say:

    1 The chance that you will be attacked is extremely small
    2 HIPS are not that important (you´re paranoid)
    3 You´re current setup is not good enough anyway (if you´re paranoid)
    4 You don´t even understand how these features in HIPS might protect you (you can´t evaluate them)
    5 Does advanced malware even exist?

    My response is: OK thanks for your opinion, but really who gives a rat´s ass about what you think? I think by now it´s clear that I clearly have a different view on this matter. We can keep discussing about it but nothing is going to change. And at the end of the day my PC still is malware free, that´s the only thing that´s important to me.

    I´m talking about your computer security setup, was that really so hard to figure out?
     
  22. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    If you say so. As for the snipped comment it was merely a personal note pointing out that you frequent maxthon forums and pose as a security expert there.

    By 'super advanced malware' yeah.

    Nah. 3. Is merely your current setup might or might not be good enough, who knows? And when you choose to switch in one for another, who knows if it leads to better defense. It tricky enough with antiviruses, but ......

    Well depends on what you mean by 'understand'. Reading a single line in the help file explaining what the alert is, doesn't come quite to 'understand' in my book, but that's just me. As you so eloquently put its, those alerts are about 'some goal that malware might try to do'. :)

    No No it exists. Come on don't be crazy.

    You do. Why else are you answering? And if you don't listen to me, listen to Notok. :)

    I guess spending time and energy chasing the illusion of improving resistance to advanced antimalware isn't important to you?

    Oh right, you assume i only have one computer and one setup.

    Well okay as I type this on this computer setup I'm running

    Kerio 2.15
    Ewido
    Prevx1R (yeah i'm a newbie unlike you!)

    In VMware of course. Being running this for 2 months or so already. Is it better than a super suped up version with all kinds of HIPs? I don't know.

    I suppose this is very weak protection against advanced malware in your book? And you can tell me exactly how the lack of <feature X> as provided in Neovguard/ ZA pro/ KAV 6/ will lead to my downfall?
     
    Last edited: Mar 25, 2006
  23. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Ah, but you could be an expert just by turning on the advanced preferences and switching to Expert mode :D
     
  24. medz

    medz Registered Member

    Joined:
    Dec 18, 2005
    Posts:
    13
    my current setup

    Netgear dg834g v2 modem wireless router firewall
    windows xp sp2 firewall(enabled)
    Kaspersky pro 5.0.391(extended database)

    any suggestion of improvement would be welcome
     
  25. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    You are probably fine as is given that some of the obvious suggestions you might receive will at least be partially covered when you presumably upgrade to KAV 6.0. If you go to the KAV/KIS 6.0 beta ftp site and look in the Docs folder, there are a couple of draft documents related to the new Proactive Defense module. Those documents provide some indication of what will be available to you in the next version, which is quite close to release.

    You can always add stuff, but the point at which diminishing returns kicks in is sensitive to how you use your PC and what you use it for, among other things.

    Blue
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.