Why cure when you can protect?

Discussion in 'other anti-malware software' started by Kees1958, Mar 24, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi, all

    After quitting with anti spyware progs, I now removed my Antivirus (Antivir). It had not found a virus in a 1.5 year. The combi of sandbox (DefenseWall), process/registry monitor (SSM-free) and Fire/Data wall (SensiveGuard) proved to be sufficient. So let spice up discussion.
     

    Attached Files:

  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Removed from realtime or completely?
    In the not too distant future, my security strategy will be:
    - Host-based: whitelisting/behaviour analysis/hardening/sandbox/forensic analysis.
    - Network/perimeter/gateway based: blacklisting, content filtering, network behaviour (UTM router).
    So, the blacklisting will be moved from hosts to the gateway.
     
  3. EASTER.2010

    EASTER.2010 Guest

    I haven't taken Anti-Virus apps seriously since one particular HIPS surfaced on this scene not so long ago now and has taken the internet AND THIS FORUM by storm. I think you all know of what i speak of here. I wouldn't want to scratch any wounds by saying they are a total replacement for AV's but they have completely proved to me that they can handle the job just fine. That is a really efficient combo.

    I recently took on KIS6 because i wanted to complete the full-spectrum of security for one machine unit that gets the most internet attention, BUT I STOPPED DOING ANYTHING BUT ON-DEMAND with it. Why bother as you say when you haven't been troubled. The only trouble i could possibly run into is by infecting myself and i done that so many times it's commonplace. Same goes with drive-by downloads since Power Shadow is here now.

    Online i go something on this order, SSM (full), CyberHawk, ST + Kerio 2.15.......occasionally EQSysSecure for testing sake mostly.



    So let's do spice up discussion over this phenomena. :cool:
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I kind of agree, and also have cut back. I am using Sandboxie, and if I want an extra layer I will do something in a vm machine. Also in many ways FDISR serves as a higher level sandbox.

    I've already pulled SAS, and Prevx off. I still have SSM,KAV and OA on the machine.

    Pete
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    ive cut back as well.
    all ive got is kis6.0 superantispyware and spysweeper
    also spyware blaster and A squared hijackfree.
    i removed a squared free a while back.
    lodore
     
  6. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I've been running my windows box for about a year with only Deep Freeze and the software restriction policy built into XP Pro. I almost forgot, a NAT router too.
     
  7. walking paradox

    walking paradox Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    234
    While I still have signature scanners in the form of AV and AS, I acknowledge the reasoning against them and agree with the rationale for dumping them. Over the long-term, that approach simply isn't viable. It will only be matter of time till they no longer meet the standards of effectiveness and efficiency for most people with computer security know-how. However, they will likely maintain their dominance of the computer security market well past this mark, given the vast majority of computer users are ignorant in the realm of computer security.
     
    Last edited: Mar 24, 2007
  8. walking paradox

    walking paradox Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    234
    The primary problem with doing away with signature scanners is that the alternatives typically aren't user-friendly. Most people I know would have no idea how to use the simplest HIPS, sandbox, or virtualization software. Granted with some of the programs out there you could potentially set it up for them in a manner that would not require much further user input, but that usually isn't the case.
     
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    yes it is lol

    i never know what type of HIPS,,sandbox or visliation to use.
    with a IE sandboxed you cant do windows updates.
    most people here at wilders can be safe with just an AV and firewall and nothing else.
    if you never get infected a av with signiture updates is fine.
    of course sandboxies mean no popups and be emptyed with one click.
    somepeople get annoyed with all the popups from some HIPS

    lodore
     
    Last edited: Mar 24, 2007
  10. walking paradox

    walking paradox Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    234
    Removed that part of my post as I figured it wasn't pertinent to the discussion, and given that this is an important discussion to have, I didn't want it to get sidetracked.
     
  11. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I don't believe in curing anymore, preventing yes if I can, I use a HIPS for that. More importantly, the ability to detect malicious system file(s) modifications, changes, deletions, both hidden, and seen which I 'am able to do in under 15 seconds sometimes less with TinyWatcher setup with mod settings, there will be no hesitation on a clean system restore which is worth the 30 second wait as opposed to a 5min¿ or longer scan(s) by AV, Trojan, and Malware type scanners in hopes that it gets it all. Well as we all know, if you running PowerShadow then all the easier on a clean restore. :D
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I boot every morning in a clean computer, in the past I only had a clean computer twice a year. So that's an improvement.
    Now, I'm only interested in softwares that prevent the installation of malware and/or stop the execution of malwares to save the day between two reboots.
    I don't need softwares anymore that remove malware, I took care of that already (100% in theory), much better and faster than scanners and without false/positives :rolleyes:.
     
  13. EASTER.2010

    EASTER.2010 Guest

    When i finally get my new hard drive in and partition everything to choice, then add the famed FD-ISR i think that one will just about complete matters finally.

    It'll be great to be able to turn to a working snapshot with everything in order and not have to jockey apps so often like before. Plus can really go full steam with experimenting the facing off of Security apps vs. malware.
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi,
    I've never been a one to run an as and av constantly in the background on a computer. Through virtualization such as VMWare or wether its FD-ISR, plus a firewall I do not think it is needed here in that capacity.
     
    Last edited: Mar 25, 2007
  15. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    advanced users (or rele rele safe surfers) may be able to do with HIPS/sandbox/virtualation etc but for the rest of us i think scanners will stay.
     
  16. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    If the scanner takes less than the time it takes me to restore my system then yeah, I say keep them scanners, if not, than LOL :D
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Time to spice it up. Protect from what?

    Now a difficult question. Let's say you want to use a program called froop.exe. This program is something you need. And you have used previous versions and liked them. Or a very good geek friend recommended it - even brought it on the CD for you.

    So you start installing. Of course, to install, you need to disable DefenseWall, right. And your HIPSs start warning you about reg key changes and startup entries, but this is only normal, because that's what programs do when they get installed...

    So I'm wondering at what point will you decide that HKLM\entry1 is malicious and HKLM\entry2 is not. And whether some inline or V12 hook is doing naughty stuff beneath the hood. And so forth.

    Now the real question is:

    If you suspect a file, why run in the first place?
    If you don't, why check it then at all?

    And again, will you let scvhost.exe connect to windowsupdates.com, via port 80. Nothing special.

    Mrk
     
  18. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I'll answer this based on my own personal reasonings, others will have different seasonings oops I meant reasonings :D
    1st to protect myself from possible BSODs' and to learn more about a specific programs installation, files created, directory, hidden deleted, registry entries? Of course its a learning thing for myself I get off on it. :rolleyes:
    2nd about that program I need and used in the past well then its quite obvious that I would have some trust in something that I liked and used in the past its a no brainer, same could be said of any program, there is always a risk factor of any program going rouge especially if its not open source and you don't understand code. Thats why you test programs out, for myself after using previous versions of froop.exe I have since then studied and learned about key registry entries, what they mean and why the settings are set the way they are set, I'm glad I know this as I could easily recognize an entry that should not be if it should ever get flagged. That was hard :rolleyes:
    3rd I speak for myself but I'm sure others have other methods of testing a program out maybe through virtualization or another box if they $rich$. :D
    4th if I ever suspected a file or not the reason I would run it is simple, for the learning and the experience...LOL :rolleyes: Will I let svchost.exe connect to do updates? I speak for myself NO WAYS! Aint Happening! LOL the idea of MS trying to patch things and then adding new holes doesn't flyby me
     
    Last edited: Mar 25, 2007
  19. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Mrkvonic, scvhost.exe as in this virus?:):D
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I remove my possible infections during reboot (90-120 seconds), no full scan can beat that and most users have more than one scanner.
     
  21. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Not bad Erik Albert, I remove my infections in under 25 seconds with a reboot, I can do a complete clean overwritten restore in under 2 min :thumb: this by the way includes time to put my pc-dos disc in and boot into the environment and then select my clean .gho image off external. Now thats as fast as I go.
    Actually Tiny Watcher won't remove infections but can full scan and allow me to know of newly created files and reg entries that should'nt be in under 15 sec. Try it for yourself I have ran live malware against this scanners detection abilities and it will pick up the added entries seen and hidden that the baddies create or delete, you just need to modify the default settings.
     
    Last edited: Mar 25, 2007
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm glad, I'm not the only one. My scanner period is over.
    No incomplete removal anymore, no false/positives anymore, my history is gone and my registry is clean again. That's the future.
     
  23. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    There's one big problem with an SSM-only approach -- namely, depending upon the OS, such files as user(32).exe, system.exe. shell(32).exe, rundll(32).exe, etc., shall still be exposed, and are the real weaknesses of any Windows OS. Hackers know this, as do some very "intelligent" maliciously coded apps. E.g., lowering a firewall at the wrong time, could result in the creation of a Trojan attack which SSM and other similar apps cannot prevent.

    If by emulation, these files, as well as all possible command or run switches, can be placed on the registry protector side, there shall be victory over crudware.

    Dave
     
    Last edited: Mar 25, 2007
  24. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Must be better than, select Full scan. Ya not alone there EA.;)
     
    Last edited: Mar 25, 2007
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well, they can't blame me for not telling how I fight against the bad guys. It's all published at Wilders.
    I'm doing this for myself and I'm satisfied with the results so far.
     
Loading...
Thread Status:
Not open for further replies.