The layered security approach - how many is too many?

This post is inspired by Tzuk's comments in this thread here:
http://www.sandboxie.com/phpbb/viewtopic.php?t=8198

In one post, Tzuk writes:

As for running more or fewer security apps, that's your decision. Clearly every additional piece of software that you introduce to your system adds more security risks. And let's suppose that some security software that you add has an unknown exploit hidden somewhere. What if that expoit is never actually exploited, but that security software does protect you five times against other exploits? So in the bottom line, was it a good idea to add it, or not? Things are rarely black and white in life.

Great insight! So how many is too many? What are we actually trying to achieve when we install our security programs or go through our security approaches?

My security setup/approach post explains a lot about how I've configured the security on my computer. It's also explained a little bit about why I've done what I've done. However, in simplicity:
1. LUA - running as a limited user at least mitigates or completely stops malware that requires administrator privileges to run/infect. And there is a lot of real-world malware like this out there. Running as a limited user also complements SRP perfectly. On Windows Vista/7, this would be a big reason why I'd continue running as a limited user despite having UAC available.
2. SRP - system-wide default-deny (anti-execution) mechanism of protection - as a general rule, if it can't execute, it can't infect.
3. Hardware DEP - blocks buffer overflow attacks, but not as reliably as one would hope.
4. Sandboxie - acts as a containment mechanism of protection configured to malware threat-gates.
5. Windows Firewall/NAT Router - blocks/hides from direct hacker attacks via ports.
6. Drive SnapShot - when/if all else fails, a recently created clean image is there to the rescue.

There is only one third party security program in that list (Sandboxie) running in real-time, but yet there are multiple layers of protection. Perhaps ultimately, this is the question I have for everyone:
"What else would you add to this setup/approach, and why?"

(I must admit that the ultimate aim of creating this post is to promote using as few third party security software as possible, but I'm also interested in what other people think in general).

I more and more start or think to follow this rule too, using as few third party security software as possible. If I read some users signatures at Wilders, many overblown configurations. Can they still work with their systems?

A lot of installed security applications on one system reads good on paper, but this can lead to a more insecure and unstable system than the opposite.

Your configuration is a cheap one. What I mean, you already paid for a lot of your mentioned components and they are part and integrated directly in the operating sytem. With LUA/SUA + SRP/AppLocker + DEP and UAC on Vista/7 you surely block the majority of malware.


SUA on Vista/7: switch to a SUA account immediately after re-installing the OS, before installing other software! Due to different problems it's better not to switch if your system is running for while already. Thats the reason why I currently don't work in a SUA.

But I have also to admit, I have difficulties to work in a SUA + AppLocker environment. Both doesn't fit to my manner of working, can't really explain it.


Beside Sandboxie there are two applications I could imagine to recommend to many users: First, a daily scheduled flash scan with Malwarebytes' Anti-Malware - just to be sure.
Disable the real time module, so it doesn't hurts. And secondly an application that I start to love, WinPatrol PLUS. Nice to see the notifications about newly added autostart entries, new services...

Ruhe wrote: With LUA/SUA + SRP/AppLocker + DEP and UAC on Vista/7 you surely block the majority of malware.

Agreed, and even throw in x64 for some kernel protection, although I realize it's not malware proof, but there was a MS report I saw within the last year that illustrated statistically fewer infections in x64 than in 32 bit.

You know, I never really understood why having more installed (security) software increased one's risk of getting infected. It just didn't make sense to me initially. However, here are 2 reasons why:

1. More chance of system instability and conflict. Unfortunately, we don't always see this instability/conflict until we actually get attacked by malware. For example, Sandboxie conflicted with most antivirus software and HIPS here:
http://www.sandboxie.com/phpbb/viewtopic.php?p=39169#39169

The extra protection you have implemented into the latest Sandboxie Beta release conflicts with Avira AntiVir and CIS. (and many others)

This conflict only seemed to exist on Windows XP. Regardless Tzuk fixed it, but it's just an example of how even having software installed (even though they're not real-time) can cause conflict and can make your primary layer of protection (eg. Sandboxie) weaker. I didn't even install the Avira Guard component (that is, I tried to run Avira purely on-demand) and there remained a conflict. Even disabling every associated component and stopping every associated service etc did not resolve the conflict. As I mentioned, completely uninstalling Avira and Comodo were required to resolve the conflict.

2. More chance of (extremely dangerous) buffer overflow exploitation. I only learned about this second reason recently. The more software we have hooking or installing into the windows kernel, the more we expose ourselves to these exploits and attacks. For example, if an overflow exploit was found in Shadow Defender, (which is rarely updated and I don't think anyone has heard from its developer Tony for months...I've e-mailed him at least twice in the last 8 weeks with no reply. He also hasn't posted on the support forum for months) malware writers could use this overflow code to exploit systems with Shadow Defender installed and completely bypass Shadow Defender and potentially any other security software the system has.

Regardless, what exactly are we trying to achieve by having so many third party security programs installed? In general (and aside from direct hacker attacks via ports...I don't think the average home user has EVER had this happen to them anyway), for one to be attacked by malware, one needs to be accessible to "newly introduced data" via:
1. Manually double clicking (opening) an infected file.
2. Visiting an infected web-site containing eg. a drive-by attack.
3. Plugging in an infected hardware device (eg. an infected USB drive) and getting attacked via Autorun.

There are multiple ways of avoiding the above without the use of third party software or with just the use of one:
1. Don't download files from untrusted sources and certainly don't run them on your REAL system (I do admit that this requires an "above average" user...which most of us here are!). You could also manually open all newly introduced files sandboxed instead.
2. Use Firefox with NoScript (or equivalent) for all surfing. You can also run your web-browser sandboxed.
3. Disable Autorun. You can also sandbox external drives.

Finally, there seems to be a trend towards promoting anti-logging software recently (to protect against key-loggers, screen-loggers, clipboard-loggers, sound-loggers, webcam-loggers etc etc). But when you ask yourself how you could be attacked by a malware logger, you'll find it's exactly the same as the above 3 ways. And the solution does NOT require the addition of another third party software. Instead, the solution is also described above. If you use a good security approach combined with this, your protection against malware logging will be much stronger than the protection any third party software can offer. But I suppose the developers of anti-logging software don't want us to know that haha.

ssj100 wrote:
Finally, there seems to be a trend towards promoting anti-logging software recently (to protect against key-loggers, screen-loggers, clipboard-loggers, sound-loggers, webcam-loggers etc etc).

These are outselling sliced bread at Wilders "What is your latest security setup" thread

But I suppose the developers of anti-logging software don't want us to know that haha.

Right, the same as antivirus companies recommending their solution to combat the latest published exploits.

Most problems on Windows are caused by badly written third-party drivers and lousy hooks. That pretty much explains everything. I have no third-party security solutions installed at all on my Vista SP2.

Paul