Discuss security setups and approaches here

Computer security isn't just about installing a program or programs.

I like to think of computer security as having a setup as well as an approach. Loosely, a computer security setup is the installed software (and hardware) you are using to protect your system, while a computer security approach is how you are using the installed software/hardware and your habits of treating newly introduced files. Note the underlined text, as it is a very important thought for any computer user out there. I personally think the way we treat newly introduced files is a huge factor in whether we get infected or not. I think poor manual handling of newly introduced files is the second most common way of getting infected.

I think the most common way of getting infected is via the web browser, particularly with a user who clicks OK to everything that pops up. However, simply having a security setup may be enough to prevent this mode of infection (for example, use your web browser sandboxed with Sandboxie). Of course, there is plenty of over-lap between a security setup and a security approach.

I have given a description of my own security setup and approach here:
https://ssj100.forumotion.com/free-for-all-f4/ssj100-s-security-setup-t4.htm#16

Of course, that amount of description of a security setup and approach is bordering on insanity, and clearly you should only write in such detail if you are very very bored haha. On a serious note, I do hope this information is of some value to anyone and everyone.

Anyway, feel free to discuss my setup/approach, as well as your own below.

The core of my security set is ShadowDefender and Sandboxie (or reverse order)
I like to say I am protected by both 95% of the time.
I use basically the Sandboxie settings ssj100 has posted.

I normally run all media players,PDF readers,and as many of my games as I can,sandboxed.
I keep up with the Sandboxie Beta cycle pretty faithfully.

With ShadowDefender,and its slower problem response,I tend to keep at "last
known good configuration"
I use Firefox with free KeyScrambler,and a toggle java script button,default off.

my security approach,is cliche,but "Trust No Exe."
For that matter almost any file can infect,in the right conditions,so I :

1.Limit as much as possible committing things to my "real" system,that can almost as easily be ran in Shadow mode,and discarded.

2.Scan ever file committed to the real system with HitManPro.

I doubt it is Bullet proof,but I thank its pretty bullet resistant.

thanks,
noor

Sounds very simple and clean, and yet highly effective.

I personally think it's so effective that there isn't much point running as a limited user (in the right hands), and I understand you run as admin.

However, I will always promote LUA/SUA where I can.

Thank you ssj100!!
I do run admin.
I absolutely intend to try LUA/SRP/SuRun in the future.

Free,super tight security? Heck yes!!

I am on a 9 month old install of Windows now,and had rather set up everything on a new install.

One thing I am ashamed to say is I have no backup software,other than my Documents on DVD-R's.

With regards to imaging software, have a read here:
http://www.techsupportalert.com/best-free-drive-imaging-program.htm

They seem to recommend "Paragon Backup and Recovery Free" and rate it as the most highly recommended. However, I note that the installation file size is over 100Mb. I don't know about you, but it sounds like bloat to me?

I have tested briefly Macrium Reflect Free, and it seems fairly reasonable, and I think it's probably the best Free option.

demoneye recommended Drive SnapShot to me, but it's not free. However, it's a one-off payment for lifetime use:
http://www.drivesnapshot.de/en/
Drive SnapShot has got to be the smallest back-up program ever (or smallest for any type of decent program for that matter) - it's only 250kb, and doesn't need to be installed!

I have also installed and played about with Macrium Reflect Free,and it seems straight forward enough.

Drive SnapShot sounds interesting,I am reading a little of their web page now.

Until, now I didn't know Paragon has anything for free. 100mb is pretty chunky,no doubt about that.

noor

I always restore images in offline mode, by booting from CD and restoring the image without loading Windows. This offline mode is just terrible with Drive Snapshot, the worst I ever have seen.
My app for imaging: Macrium Reflect, registered

Ruhe wrote:I always restore images in offline mode, by booting from CD and restoring the image without loading Windows. This offline mode is just terrible with Drive Snapshot, the worst I ever have seen.
My app for imaging: Macrium Reflect, registered

Yes, the offline mode is basically non existent in Drive SnapShot - from what I've read, it requires the creation of a floppy boot disk - I don't even have a floppy drive! However, there is an alternative way to do it, but I'll have to let demoneye explain it.

Anyway, its restoration from Windows seems perfect - just tested it on my REAL system and all seems perfectly intact. Not bad for a 250kb program that doesn't need to be installed!

And yes, Macrium Reflect seems like a good program. However, I only plan on restoring images if my primary hard drive dies or if my security setup and approach get bypassed - both highly unlikely scenarios! In fact, it's never happened to me in my life!

Sticking with Drive SnapShot here - great program. Worse come to worse (that is, worse case scenario), even if my primary hard drive dies, I'd simply buy a new hard drive, boot up with my normal Windows CD and install Windows. Then, I'd use Drive SnapShot (a 250kb file that doesn't need to be installed!) to restore my chosen image from my offline external hard drive and everything will be back to normal. A bit long winded for sure, but as I said, restoring images isn't something I'd need to be doing often at all!

Ruhe, I note that you've switched to Online Armor. Why and how is it going?

I used Online Armor Free for about a year and was quite happy with it. Obviously, it does contain a classical HIPS...something I've long moved away from (I've also used Comodo's Defense+ for a period of over a year).

ssj100 wrote:Ruhe, I note that you've switched to Online Armor. Why and how is it going?

Because of this http://www.online-armor.com/aprilmadness.php

So far I have no problems with it, it works very smooth without annoying the user and AFAIK it has one of the best HIPS. Altogether it's a superb security package containing AV/HIPS/Firewall. I'm not a friend of software by vendor A and other software of vendor B, I prefer complete packages, all under one hood (even if the AV in OA++ is by Emsi).

Why I do not use Comodo? Don't like it and them, and their AV is...forget it.

Ruhe wrote:

ssj100 wrote:Ruhe, I note that you've switched to Online Armor. Why and how is it going?

Because of this http://www.online-armor.com/aprilmadness.php

So far I have no problems with it, it works very smooth without annoying the user and AFAIK it has one of the best HIPS. Altogether it's a superb security package containing AV/HIPS/Firewall. I'm not a friend of software by vendor A and other software of vendor B, I prefer complete packages, all under one hood (even if the AV in OA++ is by Emsi).

Why I do not use Comodo? Don't like it and them, and their AV is...forget it.

Interesting. You say "without annoying the user". Can I ask what happens (or what you have to do) when you update or install something?

I personally try to minimise the number of real-time third party security software that I have (particularly those that hit the windows kernel). Currently I really only have Sandboxie running. You don't mention Sandboxie in your signature? When did you stop using it? Or did you never use it?

By the way, as far as I know, software which hits the windows kernel include the following:
1. Sandboxie
2. Classical HIPS: Online Armor's HIPS component, Comodo's Defense+ component, Malware Defender
3. DefenseWall

I'm sure there are many more, but I just can't think of them now.

I arguably have SuRun and Shadow Defender running in real-time also, although I don't think SuRun is known to cause any conflicts, while I only consider Shadow Defender "real-time" because I allow it to run a process in the background (and also it installs a driver). However, I only go into "Shadow Mode" when I need to (that is, when I'm downloading and recovering potentially risky files on to my system).

Hitman Pro is purely on-demand, and doesn't even run on start-up. I don't even have Drive SnapShot installed (there isn't any need to). And VirtualBox isn't really a security software.

Anyway, Comodo have improved their AV quite a lot. Also, there's one big advantage of Comodo over Online Armor. Comodo is completely free - that is, the free version is basically the full version, unlike Online Armor. Also, Comodo have integrated a sandbox into their latest version...I don't think Online Armor has that yet?

ssj100 wrote:Interesting. You say "without annoying the user". Can I ask what happens (or what you have to do) when you update or install something?

I will tell you if there is something to update (like Firefox). Currently I can't answer the question regarding behavior during updates.
The added apps are allowed to run and are set to trusted by OA or me but run with restricted rights ("RunSafer" feature of OA).

The recommendation is: "Set an app to trusted. If you do not trust it then don't use and remove it". So all apps I have installed and use will be set to trusted (by OA or by me). But apps like Firefox, Foxit Reader and so on - remember my posting about internet facing apps and apps that work with foreign files - will be set to trusted & restricted. "Trusted" means they can connect to the internet or do actions without asking the user.

/EDIT: Read this, http://onlinearmorpersonalfirewall.blogspot.com/2009/06/online-armor-best-practices-1.html

ssj100 wrote:You don't mention Sandboxie in your signature? When did you stop using it? Or did you never use it?

You have to say "...anymore". I stopped using it and uninstalled it a hour after starting with OA and because of this general design problem.

Ruhe wrote:The added apps are allowed to run and are set to trusted by OA or me but run with restricted rights ("RunSafer" feature of OA).

As far as I understand it, RunSafer is basically the same as what a LUA does, except LUA is much better. LUA is system wide, while RunSafer only runs selected programs with restricted rights. Again, typical security software company tactics - trying to sell what your OS already provides haha. Sorry for being cynical, but I like promoting the built-in security of the OS that you have already paid for.

Ruhe wrote:The recommendation is: "Set an app to trusted. If you do not trust it then don't use and remove it". So all apps I have installed and use will be set to trusted (by OA or by me). But apps like Firefox, Foxit Reader and so on - remember my posting about internet facing apps and apps that work with foreign files - will be set to trusted & restricted. "Trusted" means they can connect to the internet or do actions without asking the user.

It will be interesting to see how powerful OA's RunSafer really is. What you've basically done is that you are now completely relying on OA's RunSafer feature. How much is it able to restrict in the end? It sounds like it's trying to be a DefenseWall type application (policy restrictions) as well. Will it leave "frozen malware" like DefenseWall potentially can? What happens to this "frozen malware" when you uninstall OA? Furthermore, we know there is a proportion of malware that can run successfully even in a LUA. So at the end of the day, you'd be hoping that OA's RunSafer feature is much stronger than what a LUA provides (and I don't think it is).

Anyway, just contemplating stuff, and worse case scenarios haha. If you read my security setup/approach, you'll note that I've even taken into account malware that can execute without even opening it. It's all theoretical stuff for sure. You and I probably don't even need to run any security software at all, and would probably never get infected running as admin with no protection. But it's interesting discussing possibilities.

Don't forget, beside RunSafer there is still the HIPS, AV and Firewall.

Ruhe wrote:Don't forget, beside RunSafer there is still the HIPS, AV and Firewall.

Well, the HIPS and Firewall don't play a role if you set programs (malware threat-gates) to run as "trusted" by OA. So arguably, all you have is the RunSafer setting protecting those malware threat-gates + a "roll of the dice" AV.

I'm back on my previous setup again. I just feel safest with Sandboxie.

Yes, I know what you mean. Once you've used Sandboxie, it can be quite difficult "getting off it". It's almost like a drug haha.

Hi everyone, I've updated my security setup/approach post here:
https://ssj100.forumotion.com/free-for-all-f4/ssj100-s-security-setup-t4.htm

The only change I've made is that I've added some further rules to "tighten up" my Software Restriction Policies.

Also remember the point of specifically denying executables like cmd.exe is that malware can no longer potentially exploit it. If you still want to use the command prompt, simply run a renamed "cmd.exe". That's what I do to allow Sandboxie's delete function to work smoothly.

Current security setup........

Active
DefenseWall 3.09

Light Virtualization
Shadow Defender 1.1.0.325

On-Demand (once in a while)
Hitman Pro
Malwarebytes Anti-Malware

OpenDNS
Opera

Removed Shadow Defender (on demand) from my security setup/approach. Realised that I rarely ever use it. There were really only 2 reasons I would use it for:

1. If someone was wanting to use my computer and could potentially "screw it up"
2. For reducing the probability of getting hit by malware like this (eg. a buffer overflow exploit using this method):
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/

But I've now realised that in a Limited User Account with a system-wide default deny mechanism in place (SRP), reason 1. isn't really a problem at all. Worse come to worse, it only takes about 5-10 minutes to boot up a clean image with the amazing Drive SnapShot.

For reason 2., I feel that the probability of getting hit by a malware like that is so small that it's negligible. Even if such malware did exist out there, it would almost always try to download and execute a "payload" file which would be easily denied from running by the default deny mechanism (SRP). And again, worse come to worse, loading up a clean image with Drive SnapShot isn't hard to do.

Furthermore, I'm fairly certain Shadow Defender installs itself in kernel mode and thus there is the risk of conflict with Sandboxie (I noticed one such conflict earlier in the year: http://www.shadowdefender.com/phpbb/viewtopic.php?f=3&t=106 )

And finally, if my theory is correct, the more third party security programs we have installed on the same system that hook the kernel (Sandboxie, DefenseWall, Shadow Defender, Returnil, Malware Defender, Comodo Firewall, Online Armor etc), the more chance of not only conflict, but of getting hit by clever buffer overflow attacks of which there is probably no defense against:
http://www.sandboxie.com/phpbb/viewtopic.php?p=53692#53692

ssj100 wrote:And finally, if my theory is correct, the more third party security programs we have installed on the same system that hook the kernel (Sandboxie, DefenseWall, Shadow Defender, Returnil, Malware Defender, Comodo Firewall, Online Armor etc), the more chance of not only conflict

I think thats the main reason why I'm trying to install and run as few as possible now.

One example is a conflict I had between DefenseWall and KeyScrambler: random BSOD. This was solved by uninstalling KeyScrambler.

Ruhe wrote:

ssj100 wrote:And finally, if my theory is correct, the more third party security programs we have installed on the same system that hook the kernel (Sandboxie, DefenseWall, Shadow Defender, Returnil, Malware Defender, Comodo Firewall, Online Armor etc), the more chance of not only conflict

I think thats the main reason why I'm trying to install and run as few as possible now.

One example is a conflict I had between DefenseWall and KeyScrambler: random BSOD. This was solved by uninstalling KeyScrambler.

That's exactly right. However, BSODs are mainly just annoying. What could be worse is that running so many third party security software (especially kernel hooking ones) could cancel them out and potentially let malware bypass all these security programs. That's exactly what seemed to happen (to an extent) in the Sandboxie + Shadow Defender conflict I described in the link above. It could have easily gone by without anyone noticing if I wasn't in the mood to experiment. Tony (Shadow Defender's developer) took it serious enough to fix the issue in a later release.

"Also, why specifically do you want to have outbound connection control? Asked by ssj 100."


I use a lot of no-cd's for my games, and don't trust them that much. I don't play online very much, so I don't want them to have a connection, this is for the no-cd's .exe and the game itself.

I can understand why you'd want to prevent the no-cd's .exe from calling out (they are not trusted programs by any stretch of the imagination), but I'm not sure why the game itself would need to be blocked (unless the game is from an untrusted source too).

Seven X64 with DEP, CIS4 in Proactive Mode, FW/D+ in Safe Mode, Sandbox Enabled, no AV, CTM for quickly snapshots and Macrium Free and Seven image for disaster recovery.

It serves me very well coupled with Firefox with NoScript and AdBlock (Ghostery and Beef TACO for curiosity).
For IM Pidgin with OTR, TrueCrypt for a container with some sensitive files and KeePass for all my passwords.

I'm not really a security paranoiac but for fun maybe someday I'll try LUA and SRP/AppLocker.