what would best compliment LUA(+SRP) ?

Discussion in 'other anti-malware software' started by chris2busy, Oct 28, 2008.

Thread Status:
Not open for further replies.
  1. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Hello..i switched to vista since they are impressive after SP1 and to my surprise their LUA is fully functional(as oposed to XP's)..with run as u can truly install aything..even better than surun in xp..anyways..i use LUA+SRP on that desktop now but would like something to make me feel more secure about usermode malware.shoot your opinions wilders :)
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    On my Vista systems I use Malware Defender HIPS in addition to UAC and SRP for my default quasi-admin account. Under a LUA (Standard) account, MD's GUI will not autostart when you log in because it needs admin rights. MD's protection is still in place and runs in a default-deny service-based mode with no alerts. To interact with MD, you just need to start the GUI using "Run as."

    MD is a solid classic HIPS for Vista and worth an evaluation.

    Nick
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Chris2busy,

    I would add the Norton UAC tool. This nifty utility remembers your UAC choices, after some Vista updates the settings get lost, but it is still less hassle than Vista's UAC.

    DriveSentry takes care for a lot of HKCU registry settings. I have no idea how strong the black list is, so for effectiveness against run once/load once user mode malware of the 'on write' (in stead of on execution) protection, I have no idea.

    Avast has a strong feature against file infectors (it builds a data base of max three versions). Although old fashioned malware, lately there has been a revival of this type of malware. Not user mode, but a pain to remove when a file infector hits you. So adding an old fashioned AV (you could use Avast's P2P, Webmail, Messenger and internet shields only, to prevent overlap on the file drivers of DriveSentry to keep you system snappy and fast).

    The IDS of Mamuto and A2 Malware paid also provide some protection against user mode malware (they are more aggressive against them than ThreatFire).

    Regards Kees
     
  4. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    First off i want to thatnk you for your replies :)
    I have tried MD and unfortunately found it too power hungry for my taste.

    @Kees1958
    I haven't tried mamutu nor the latest TF.is there any way to create custom rules so that they would look after ONLY areas that are being non protected by LUA ? (say C:/Users/whatever) ?would be a resource and performance gain definately..also will kafu.exe do the same thing for Vista as it did for XP ?
    T.i.a
     
  5. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    I heard easter saying that the new threatfire version can make great custom rules?That would be great..does anyone here know what directories/registry/startup entries does not vista LUA cover up? This can be a revolutionary in terms of performace setup :)
     
  6. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    @ kees1958

    I know you have experience with sandboxie so would sbie itself suffice for a such purpose?i have no extra settings other FF to be the only app to be able to have net access(and direct bookmark acess).is that enough or should i add some extra rules to sbie config ?i also noticed that the C:/Sandbox folder has no permissions assigned to it..this could be bad?
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes, see setup tips of ThreatFire in castle cops search for list of freeware
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Add these entries https://www.wilderssecurity.com/showpost.php?p=1342623&postcount=59

    Cheers
     
    Last edited: Nov 3, 2008
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Have not used SBIE for at least three years. For what I recall the sandbox folder contains all data created by sandboxed programs. To keep the lit on the sandbox, it has no permissions

    FF only is good, at least when you only want to sandbox the FF browser.

    I now only use TF, Poweruser, some SRP policies and Chromium. The sandbox of Chroimium would have protected its user of 70% of the internet based malware of the past year, according a Stanford University study
     
  10. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Only 70%? This could be considered as very ineffective protection.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    For a freebie compared to the competition (other browsers) it is not bad, off course my favourite policy HIPS/sandboxes are in descending order: DefenseWall, GesWall, SafeSpace (helas gone), Sandboxie

    Since you implemented more or less all my wishes, I have not mentioned DefenseWall much lately. But to your credits: my Mom of 75 is comfortable with defense wall because it is so user friendly, seamless and strong security:
    a) leave it chained as untrusted by default (no accidental risk of throwing files away like SBIE when clearing the sandbox)
    b) change status to trusted with richt click when you want to install something

    Cheers Kees
     
  13. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    if you consider that its included in the browser itself it is pretty impressive actually..e.g we cannot say that about firefox(bare bones-not with noscript and the rest of the gadjets).although i think i'll stick to sandboxie..google's browser is still fresh and much targeted app.
     
  14. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Hello chris2busy,

    I have a Vista laptop and a Vista test box with UAC enabled on both. I have no AV or HIPs installed of any kind. For Internet access, I use a LUA + SRP + added DFTs and ARs. On the test box, I throw fresh, zero-day malware at it regularly and then wait for any sign of penetration. I haven't been able to infect myself yet.
     
  15. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Interesting..But what are ARs?Im not familiar with the term....
     
  16. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    AR = Additional Rules Too many times people overlook this step.
     
  17. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    care to share your rules mate? :)
    also..what is DFTs?
     
Loading...
Thread Status:
Not open for further replies.