Best protection against malware?

[Tookeri]

I came across this article that demonstrates how extremely effective a feature like AppLocker is. It becomes very reliable when applied to 500 Windows 7 computers over 3 years as in this case. The result: Not a single malware infection compared to several a week prior to applying AppLocker! Amazing

Free, almost perfect, malware protection with GPO App Locker - Spiceworks

Windows 7 versions:

• For Enterprise and Ultimate AppLocker is built-in: http://www.sevenforums.com/tutorials/7844-applocker-create-new-rules.html
• Professional has SRP(Software Restriction Policy): Preventing computer malware by using Software Restriction Policies. | Peter Gubarevich
• For Home versions there are similar products available like AppGuard(pay software): AppGuard Review | MalwareTips.com
  or Simple Software-restriction Policy: Wilders Security Forums (written by a well known Wilders member)

Personal experience
I'm using SRP and have configured it to only allow executable files to start from the Windows and Program Files folder, folders that require admin permissions to write to. Executable files include exe, com, bat, vbs, dll and more. This basically mean that only installed programs and those part of Windows can start. Any downloaded executable files or files from other drives including USB ones will not be allowed to execute.
Many automatic program updates(including Windows Update) will still work, but apps using files in user folders or in temp folders won't, for example Firefox. So to update such a program or install a new program you'll have to temporarily turn SRP off. It only takes a few seconds extra once you've set it up the way you want to, a small price to pay for a great protection. You might have to add additional exceptions for programs that for example run from AppData instead of Program Files.

Example if you copy the Windows Calculator(calc.exe) to the desktop and try to run it. (your desktop should only contain links/shortcuts to executables)

Stay safe!

 

[ThrashZone]

Hi,
Sounds like pretty extreme measures
I suppose that last popup message needs a "Mother may I" if I promise to eat all my veg's

 

[Tookeri]

I don't think so, it once again proves how anti-virus and anti-malware products fails to protect you. The article mentions prior to AppLocker dealing with 3-5 infections a week, some in need of a complete reimaging. And note that they weren't even using admin accounts.
Monitoring 500 computers over 3 years is not something a home users can do and that's why I think this is an excellent article.

 

[Berkey]

Over time, I've become more aware of "whitelisting" with my security programs, whether it be Classic HIPS, anti-exes, firewalls and so on. APPlocker, among others, are very solid programs, but require a bit of learning and patience, but once you get the hang of things, I think you'll be surprised of how effective they can be. My current set up is almost entirely based on that principal, even while web browsing as I don't allow anything in the page to load, unless its a trusted page, or I go through and manually allow objects.

For the most part, everything that needs to connect to the internet, or have access to certain folders has been white listed in my setup, so that if anything, even if its a non-threat attempts to run, such as the calculator, it will be blocked once, then I can allow it for future use. I like to know what's trying to run and even if sometimes it can be a hassle (forget to temporarily white list objects of decrease protection levels for installs and what not) it's better than getting caught off guard.

Of course, common sense is your best anti-malware tool, but even the best of us slip up now and again, but I've been malware free for years, even in the days of using Anti-viruses, but I prefer prevention over reaction or detection, since I would do a image restore if I became infected anyhow, so removal of malware for me is to nuke it:devil:

 

[Tookeri]

Berkey, we think the same you and I. I would say prevention is the ONLY true defense

I see you have both ERP and AppGuard. In case you didn't know: SRP is built-in and free in Win 7 Pro.

About UAC and Standard vs Admin account I recommend reading this if you haven't seen it already:
http://www.sevenforums.com/general-...ices-user-account-type-uac-2.html#post2988364

If there's one thing you could add in your arsenal of protection it's an anti-exploit like EMET or MBAE.

The above are only my thoughts to your list of protection apps. But not many have such a good security setup as you have so I'm not sure any of my "tips" come as news to you

 

[Berkey]

Berkey, we think the same you and I. I would say prevention is the ONLY true defense

I see you have both ERP and AppGuard. In case you didn't know: SRP is built-in and free in Win 7 Pro.

About UAC and Standard vs Admin account I recommend reading this if you haven't seen it already:
http://www.sevenforums.com/general-...ices-user-account-type-uac-2.html#post2988364

If there's one thing you could add in your arsenal of protection it's an anti-exploit like EMET or MBAE.

The above are only my thoughts to your list of protection apps. But not many have such a good security setup as you have so I'm not sure any of my "tips" come as news to you

Indeed. Prevention will save a lot of headaches.

I've used SRP, with great success, but once I started to test applications such as Appguard and NVT, I just got hooked on them, so I've been a user ever since.

The UAC isn't so much as a security setup as much as it is a "are you sure you want to do this" setup, as I learned a hard and valuable lesson a few years ago about being too hasty with decision making, which essentially led to a clean re-install, so more of a double checker if you will.

I've been testing Hitman Pro Alert 3 as my anti-exploit, which has been pretty light weight and seems to be getting stronger and stronger with each build release. Has a nice keystroke encryption, which can be applied to programs like Word and Notepad.

Umatirx I feel is one of the best defenses above all, since when you tweak it the way I have it, nothing will load in a webpage unless whitelisted, which can completely prevent a page from showing anything, or if a particular domain is un-trusted, wont' even all you the chance to whitelist, unless you override it.

Then again, good ol sandboxie always has my back for the "how in the world", but I haven't had any malware detection in ages and that was before I had really anything in this setup, because as we all know, common sense is the best tool for prevention

Thanks for the input!

 

[Tookeri]

Thank you too! I've been close myself a few times to install additional security products but I've managed to stop myself in time and realize I don't need more. But it's always interesting to at least read about them

I don't use Chrome but I recognize the concept which sounds like NoScript for Firefox. An excellent extension for the more advanced users.

I've been following the development for Alert 3 for the last year and I'm very impressed. It's no doubt better than MBAE and EMET. I must have read your signature wrong and missed "Alert" so I only saw "Hitman Pro". You had it already covered!

I agree Sandboxie is a product you can count on. Seen this? http://www.sevenforums.com/security...are-variant-has-new-defenses.html#post2981906
A nice proof how good it is when ransomware quits if it detects it's running. For two reasons I believe: they know it's hard to break out from it, and they don't want to leave traces of the malware in a sandbox since it's easier to trace it there.

About UAC I get the feeling maybe you didn't check out the link. A malware only needs standard user access to be able to get around UAC if the user is logged in as an administrator (or Protected Admin as it's called). The link shows one way how this can be done.
Bottom line: You can and should only trust UAC in a standard user account. Not in an admin account.

 

[Berkey]

I've read the link. I use a standard account, as one of the reasons I started to get more into security was way back in college with XP, I always use to create my standard account as the ADMIN, then I'd keep getting infested, until one of the IT guys in the lab sat me down and showed me a few simple "duh" things to do and help your cause.

I like running as standard, with UAC, it allows me to elevate whenever I need to from within a standard user account. Like last week on my VM I was playing with pre made reg files and had them side to side on my desktop, which I boneheadly clicked the wrong on and when the UAC popped up, I read that it was the wrong file, so it saved me from granted the permission. Then again, I read when those boxes pop up, most average users do not, so they generally disable it.

I would hope MS would enhance the meaning behind UAC, as most people are annoyed with it (if they dont' disable it) and just click yes anyhow, so they might as well disable it. However, if the warning box said something like; "Do you want to grant XYZ administrator rights? If yes, you understand that then viruses and malware can be more dangerous if it is contained within the file as they will have the most permission" or something along those lines.


Great input on that thread and your post in particular! I remember reading a very in depth study on UAC and the difference between Standard and ADMIN account. I'll see if I can dig it up and send it to you as it was a fun read.

 

[Callender]

HitmanPro.Alert3

I've been testing Hitman Pro Alert 3 as my anti-exploit, which has been pretty light weight and seems to be getting stronger and stronger with each build release. Has a nice keystroke encryption, which can be applied to programs like Word and Notepad.

I tried HitmanPro.Alert3 beta and more recently HitmanPro.Alert3 RC but it didn't want to protect any non standard browsers or non standard internet facing apps and also blocked VLC and Thunderbird. I suspect that's because i've got EMET installed. Do you have EMET or did you need to remove it before installing HitmanPro.Alert3 ?

Thanks!

 

[Berkey]

I've been testing Hitman Pro Alert 3 as my anti-exploit, which has been pretty light weight and seems to be getting stronger and stronger with each build release. Has a nice keystroke encryption, which can be applied to programs like Word and Notepad.

I tried HitmanPro.Alert3 beta and more recently HitmanPro.Alert3 RC but it didn't want to protect any non standard browsers or non standard internet facing apps and also blocked VLC and Thunderbird. I suspect that's because i've got EMET installed. Do you have EMET or did you need to remove it before installing HitmanPro.Alert3 ?

Thanks!

Hi Callender,

EMET and MHPAshould be compatible but I don't see much use of running both EMET and Alert with Exploit Mitigations, since they are rooted in similar backgrounds. Obviously different software, but it's how I would view running multiple Anti-viruses at the same time (although you might be able to do that now, but I haven;t used an AV in so long I'm not sure)


This should do the trick for adding custom apps

1. If you haven't done so put the GUI in advanced mode. Click on the little gear in upper right hand corner and select advanced GUI
2. Start the app you want to add
3. In the gui click on the big blue box exploit mitigations
4. Select running applications
5. You should see your app as unprotected.
6. Click on it, and then select the protection type that best fits the applications

Then you restart the application and you are good to go.

Let me know how it works out for you

 

[Callender]

HimanPro Alert 3

Okay thanks for the info. I'll try reinstalling HMPA 3 again later this week and see how it goes. Really I was trying to test it without removing EMET. I've got an idea that if I disable all mitigations in EMET without actually uninstalling it then it maybe won't interfere with HMPA 3.

 

[Berkey]

Okay thanks for the info. I'll try reinstalling HMPA 3 again later this week and see how it goes. Really I was trying to test it without removing EMET. I've got an idea that if I disable all mitigations in EMET without actually uninstalling it then it maybe won't interfere with HMPA 3.

No problem, I still think the latest builds should work with EMET and even MBAE running side by side, as I read HMPA likes to test with similar software running. Anyhow keep me posted

 

[Tookeri]

Here's a post from yesterday by one of the authors of HMPA answering the question:

- Maybe I missed it in the change log, but is the newest RC compatible with EMET 5 and is it "Ok" to run them side by side from a security aspect?

erikloman: They should be compatible but it makes no sense to run both EMET and Alert with Exploit Mitigations.

HitmanPro.Alert Support and Discussion Thread | Page 154 | Wilders Security Forums

 

[Callender]

HMPA RC 3 vs EMET

Okay so I reinstalled HMPA RC alongside EMET - just to test HMPA. I don't wish to remove EMET just yet. This time it actually works. Last time I installed it no browsers would launch nor Thunderbird or VLC.

Still had a problem with VLC:



Solved by disabling the following:



Browsers all protected and launching okay:



Added EM Editor and a few other apps - all okay.



I'm fairly impressed with HMPA 3 but I'm not sure if there's any additional protection worth paying for over and above running EMET (free), VoodooShield (Pro) , HitmanPro Alert 2.6.5 (free) and SecureAPlus (free). In particular if any new process is spawned through an exploit, VS will kill it.

 

[Berkey]

I would say if you like EMET, then yes, the free version is the way to go. Its a nice little browser add on.

 

[Tookeri]

I'm fine with EMET too along the free version of HMPA 3 (eventually). But only because I have several other great security layers in place. But I'm very impressed with HMPA 3 including the exploit mitigations!

Here a quick summary of HMPA 3 free/paid if anyone's interested:

HitmanPro.Alert requires a license for Exploit Mitigations and Active Vaccination. All other features are free.

HitmanPro.Alert Support and Discussion Thread | Page 154 | Wilders Security Forums

HITMANPRO.ALERT 3 FEATURE OVERVIEW

• Install-and-Forget Signature-less protection suitable for Home Users, Power Users and IT Professionals
• Exploit Mitigations (Anti-Exploit) Aims to stop attackers from exploiting software vulnerabilities
• Fine-grained Exploit Mitigation Settings Allows experienced computer users to change individual mitigations, per application
• On-demand Malware Detection and Remediation Integrated Anti-Malware scanner
• BadUSB Protection Blocks malicious USB devices that pose as a keyboard
• Safe Browsing (Man-in-the-Browser Detection) Warns when malware manipulates the browser; behavior-based
• Active Vaccination Makes sandbox-aware malware self-terminate
• CryptoGuard Protects your data against CryptoLocker, CryptoWall, TorrentLocker, OphionLocker, CoinVault and variants; behavior-based
• Webcam Notifier Blocks the webcam when it is (secretly) accessed
• Keystroke Encryption Protects credentials against keyloggers in the browser
• Hollow Process Protection Protects the main executable of a process against unmapping
• Network Lockdown Helps to stop attacks that connect back to command-and-control
• Full 64-bit Support Offers 64-bit applications same protection as 32-bit applications
• Software Radar Automatically protects new browsers, plug-ins, media and office applications
• Easy-to-Use High DPI User Interface Suitable for Home Users, Power Users and IT Pros
• Advanced Exploit Reporting Logs advanced technical data for forensic threat analysis
• Multilingual User Interface English, Chinese (Simplified), Chinese (Traditional), Dutch, French, German, Italian, Brazilian Portuguese, Russian, Spanish
• Antivirus Compatible Runs alongside third-party antivirus or internet security software

ANTI-EXPLOIT // CODE MITIGATIONS

• SEHOP Stops abuse of the structured exception handler
• Stack Pivot Stops abuse of the stack pointer
• Stack Exec Stops attacker's code on the stack
• Software Stack-based Anti-ROP Stops return-oriented programming (ROP) attacks (part of Control-Flow Integrity)
• Hardware-assisted Branch-based Anti-ROP Programs microprocessor to stop ROP attacks (part of Control-Flow Integrity)
• Import Address Table Filtering (IAF) Prevents attackers from snooping function addresses (part of Control-Flow Integrity)
• Caller Check Stops processes called from attacker-controlled memory (part of Control-Flow Integrity)
• Load Library Stops modules that load from insecure network paths
• Application Lockdown Prevents abuse of logic flaws and stops attacks that bypass mitigations (incl. Office macros)

ANTI-EXPLOIT // MEMORY MITIGATIONS

• Enforce DEP Prevents abuse of buffer overflows
• Mandatory ASLR Prevents predictable code locations
• Pseudo ASLR for Windows XP and Windows Server 2003 Prevents predictable code locations of modules on legacy Windows (part of Mandatory ASLR)
• Bottom Up ASLR Improves code location randomization (ASLR)
• Null Page Stops exploits that jump via page 0
• Heap Spray Pre-Allocation Stops attacks that start via common memory addresses on the heap (part of Dynamic Heap Spray)
• Dynamic Heap Spray Stops exploits that start via the heap; behavior-based

HitmanPro.Alert Support and Discussion Thread | Page 128 | Wilders Security Forums

 

[Berkey]

I am very happy with the paid version of HMPA, I feel it compliments y setup very nicely and of course offers more than just one layer

 

[Callender]

HMPA 3 free?

I'm fine with EMET too along the free version of HMPA 3 (eventually). But only because I have several other great security layers in place. But I'm very impressed with HMPA 3 including the exploit mitigations!

Here a quick summary of HMPA 3 free/paid if anyone's interested:

HitmanPro.Alert Support and Discussion Thread | Page 154 | Wilders Security Forums

Thanks for the info. I'd assumed that there was only a paid for version available. Free will do just fine.

On another note I heard that NVT ERP is going to be free soon. Already tried their Driver Radar Pro.

 

[Berkey]

I'm fine with EMET too along the free version of HMPA 3 (eventually). But only because I have several other great security layers in place. But I'm very impressed with HMPA 3 including the exploit mitigations!

Here a quick summary of HMPA 3 free/paid if anyone's interested:

HitmanPro.Alert Support and Discussion Thread | Page 154 | Wilders Security Forums

Thanks for the info. I'd assumed that there was only a paid for version available. Free will do just fine.

On another note I heard that NVT ERP is going to be free soon. Already tried their Driver Radar Pro.

It has already become freeware like radar pro. I hope it is not a sign to come for many of the past programs that went from paid, then freeware (with donations) then abadonware. I was speaking with the developer and suggested that ERP free would be just fine, but if he could somehow roll up ERP, Driver radar, Kernel mode, drivers manager,Ring 3 api hook scanner, Dll uninjector, Anti rootkit, Write Process Memory manager, Handle tracer just to name a few into one paid version, as they are all great free or separate tools. In any case, a great program just became free so don't miss out

 

[BlackHawk1]

I've been testing Hitman Pro Alert 3 as my anti-exploit, which has been pretty light weight and seems to be getting stronger and stronger with each build release. Has a nice keystroke encryption, which can be applied to programs like Word and Notepad.

Stronger and stronger with each build? Since when have they last updated it? Not for quite some time! I personally feel more confident with Malwarebytes Anti-Exploit Premium.