Why cure when you can protect?

Hi, all

After quitting with anti spyware progs, I now removed my Antivirus (Antivir). It had not found a virus in a 1.5 year. The combi of sandbox (DefenseWall), process/registry monitor (SSM-free) and Fire/Data wall (SensiveGuard) proved to be sufficient. So let spice up discussion.

 

Removed from realtime or completely?
In the not too distant future, my security strategy will be:
- Host-based: whitelisting/behaviour analysis/hardening/sandbox/forensic analysis.
- Network/perimeter/gateway based: blacklisting, content filtering, network behaviour (UTM router).
So, the blacklisting will be moved from hosts to the gateway.

 

I haven't taken Anti-Virus apps seriously since one particular HIPS surfaced on this scene not so long ago now and has taken the internet AND THIS FORUM by storm. I think you all know of what i speak of here. I wouldn't want to scratch any wounds by saying they are a total replacement for AV's but they have completely proved to me that they can handle the job just fine. That is a really efficient combo.

I recently took on KIS6 because i wanted to complete the full-spectrum of security for one machine unit that gets the most internet attention, BUT I STOPPED DOING ANYTHING BUT ON-DEMAND with it. Why bother as you say when you haven't been troubled. The only trouble i could possibly run into is by infecting myself and i done that so many times it's commonplace. Same goes with drive-by downloads since Power Shadow is here now.

Online i go something on this order, SSM (full), CyberHawk, ST + Kerio 2.15.......occasionally EQSysSecure for testing sake mostly.



So let's do spice up discussion over this phenomena.

 

ive cut back as well.
all ive got is kis6.0 superantispyware and spysweeper
also spyware blaster and A squared hijackfree.
i removed a squared free a while back.
lodore

 

I've been running my windows box for about a year with only Deep Freeze and the software restriction policy built into XP Pro. I almost forgot, a NAT router too.

 

While I still have signature scanners in the form of AV and AS, I acknowledge the reasoning against them and agree with the rationale for dumping them. Over the long-term, that approach simply isn't viable. It will only be matter of time till they no longer meet the standards of effectiveness and efficiency for most people with computer security know-how. However, they will likely maintain their dominance of the computer security market well past this mark, given the vast majority of computer users are ignorant in the realm of computer security.

 

The primary problem with doing away with signature scanners is that the alternatives typically aren't user-friendly. Most people I know would have no idea how to use the simplest HIPS, sandbox, or virtualization software. Granted with some of the programs out there you could potentially set it up for them in a manner that would not require much further user input, but that usually isn't the case.

 

yes it is lol

i never know what type of HIPS,,sandbox or visliation to use.
with a IE sandboxed you cant do windows updates.
most people here at wilders can be safe with just an AV and firewall and nothing else.
if you never get infected a av with signiture updates is fine.
of course sandboxies mean no popups and be emptyed with one click.
somepeople get annoyed with all the popups from some HIPS

lodore

 

Removed that part of my post as I figured it wasn't pertinent to the discussion, and given that this is an important discussion to have, I didn't want it to get sidetracked.

 

I don't believe in curing anymore, preventing yes if I can, I use a HIPS for that. More importantly, the ability to detect malicious system file(s) modifications, changes, deletions, both hidden, and seen which I 'am able to do in under 15 seconds sometimes less with TinyWatcher setup with mod settings, there will be no hesitation on a clean system restore which is worth the 30 second wait as opposed to a 5min¿ or longer scan(s) by AV, Trojan, and Malware type scanners in hopes that it gets it all. Well as we all know, if you running PowerShadow then all the easier on a clean restore.

 

I boot every morning in a clean computer, in the past I only had a clean computer twice a year. So that's an improvement.
Now, I'm only interested in softwares that prevent the installation of malware and/or stop the execution of malwares to save the day between two reboots.
I don't need softwares anymore that remove malware, I took care of that already (100% in theory), much better and faster than scanners and without false/positives .

 

When i finally get my new hard drive in and partition everything to choice, then add the famed FD-ISR i think that one will just about complete matters finally.

It'll be great to be able to turn to a working snapshot with everything in order and not have to jockey apps so often like before. Plus can really go full steam with experimenting the facing off of Security apps vs. malware.

 

Hi,
I've never been a one to run an as and av constantly in the background on a computer. Through virtualization such as VMWare or wether its FD-ISR, plus a firewall I do not think it is needed here in that capacity.

 

advanced users (or rele rele safe surfers) may be able to do with HIPS/sandbox/virtualation etc but for the rest of us i think scanners will stay.

 

If the scanner takes less than the time it takes me to restore my system then yeah, I say keep them scanners, if not, than LOL

 

Hello,

Time to spice it up. Protect from what?

Now a difficult question. Let's say you want to use a program called froop.exe. This program is something you need. And you have used previous versions and liked them. Or a very good geek friend recommended it - even brought it on the CD for you.

So you start installing. Of course, to install, you need to disable DefenseWall, right. And your HIPSs start warning you about reg key changes and startup entries, but this is only normal, because that's what programs do when they get installed...

So I'm wondering at what point will you decide that HKLM\entry1 is malicious and HKLM\entry2 is not. And whether some inline or V12 hook is doing naughty stuff beneath the hood. And so forth.

Now the real question is:

If you suspect a file, why run in the first place?
If you don't, why check it then at all?

And again, will you let scvhost.exe connect to windowsupdates.com, via port 80. Nothing special.

Mrk

 

I'll answer this based on my own personal reasonings, others will have different seasonings oops I meant reasonings
1st to protect myself from possible BSODs' and to learn more about a specific programs installation, files created, directory, hidden deleted, registry entries? Of course its a learning thing for myself I get off on it.
2nd about that program I need and used in the past well then its quite obvious that I would have some trust in something that I liked and used in the past its a no brainer, same could be said of any program, there is always a risk factor of any program going rouge especially if its not open source and you don't understand code. Thats why you test programs out, for myself after using previous versions of froop.exe I have since then studied and learned about key registry entries, what they mean and why the settings are set the way they are set, I'm glad I know this as I could easily recognize an entry that should not be if it should ever get flagged. That was hard
3rd I speak for myself but I'm sure others have other methods of testing a program out maybe through virtualization or another box if they $rich$.
4th if I ever suspected a file or not the reason I would run it is simple, for the learning and the experience...LOL Will I let svchost.exe connect to do updates? I speak for myself NO WAYS! Aint Happening! LOL the idea of MS trying to patch things and then adding new holes doesn't flyby me

 

Mrkvonic, scvhost.exe as in this virus?

 

I remove my possible infections during reboot (90-120 seconds), no full scan can beat that and most users have more than one scanner.

 

Not bad Erik Albert, I remove my infections in under 25 seconds with a reboot, I can do a complete clean overwritten restore in under 2 min this by the way includes time to put my pc-dos disc in and boot into the environment and then select my clean .gho image off external. Now thats as fast as I go.
Actually Tiny Watcher won't remove infections but can full scan and allow me to know of newly created files and reg entries that should'nt be in under 15 sec. Try it for yourself I have ran live malware against this scanners detection abilities and it will pick up the added entries seen and hidden that the baddies create or delete, you just need to modify the default settings.

 

I'm glad, I'm not the only one. My scanner period is over.
No incomplete removal anymore, no false/positives anymore, my history is gone and my registry is clean again. That's the future.

 

There's one big problem with an SSM-only approach -- namely, depending upon the OS, such files as user(32).exe, system.exe. shell(32).exe, rundll(32).exe, etc., shall still be exposed, and are the real weaknesses of any Windows OS. Hackers know this, as do some very "intelligent" maliciously coded apps. E.g., lowering a firewall at the wrong time, could result in the creation of a Trojan attack which SSM and other similar apps cannot prevent.

If by emulation, these files, as well as all possible command or run switches, can be placed on the registry protector side, there shall be victory over crudware.

Dave

 

Must be better than, select Full scan. Ya not alone there EA.

 

Well, they can't blame me for not telling how I fight against the bad guys. It's all published at Wilders.
I'm doing this for myself and I'm satisfied with the results so far.