Secure without Agents? A Discussion

[Dikphy]

Just registered, but by no means a new reader!

This is a discussion, on something neither too hot nor too deviant. Allow me to present first.

Recalling that I once read an article on How-to Geek several years ago, the author saying he hadn't used real-time antivirus for 10+ years, no trouble, confirmed by annual online scan.

Recalling that right here, probably MC recommended an article about PlaceboAV, that was the second instance of my encountering formal argument against the "mainstream" evaluation/perception of digital risk.

However, I was still hanging on Avira, until Nov 15, 2010 (do not laugh, please, I started then my attempt to demonstrate something). In terms of HIPS, I started with Comodo ca 5 years ago, later purchased a lifetime license of Outpost Firewall (it's network/web filtering is the finest and the handiest to configure, but off-topic here), became obsessed with HIPS configuration... not surprisingly, my system hadn't got infected for at least 5 years. But I was still having some slight impression that this was due to the "agents" I had been employing, but after some brief introspection, i.e. how many threats have my agents blocked/killed for me these years? One or two I guess. The rest was to allow, allow, allow! (I guess what I am describing isn't uncommon.) Realizing that, I started to seriously reconsider the value of the employment:

I started to use security applications because I became conscious about the existence of malware, and it was exactly this gain of consciousness that fundamentally changed my risk state. Unfortunately, this happy transition of the mind correlated with the employment of the security agents, tricking me that it was the agents who were saving my a$$.

Feb 27, 2011, I finally decided to uninstall Outpost, giving up all the painstaking configurations. Outpost was by no means useless to me, besides fine-controlling processes' network/disk/memory/filesystem access, it actually offered nifty extras like ads filtering, blocking javascripts on specified websites, denying access to specified directories, etc, but thinking of all the boring questions I had to answer every time I update/install applications, and being aware of the fact that, as a Firefox user, ad-blocking and js control are state-of-the-art, also with Windows's built-in security policy system, and it's fairly "advanced" firewall (but definitely the lightest), etc, keeping this Outpost agent on my system was far away from cost-effective. Therefore it was fired eventually.

Has been half a year running Windows 7 32-bit w/o on-access anti-whatever and HIPS, no issue. However, WinPatrol Pro is being used, but it's not strictly speaking a HIPS, but better defined as an application of Infiltration Detection; Briefly, it's auditing, not blocking, it's a good assistant, but I keep it mainly because it does not compromise computing performance.

I'm not careless, I'm on the paranoid side, but with a bit of rationality, I started to change the traditional approach and attitude dealing with computer security.

Quote from Dedoimedo,

Quote:

Anti-virus software can be a good product for you, but it's a matter of your state of mind rather than any state of software.

Very welcome to present your ideas and experiences to me and to us all. Thanks for the reading!

[Taurus]

Quote:

Originally Posted by Dikphy

WinPatrol Pro is being used, but it's not strictly speaking a HIPS, but better defined as an application of Infiltration Detection; Briefly, it's auditing, not blocking, it's a good assistant, but I keep it mainly because it does not compromise computing performance.

This is not exactly a true statement, and I'm not sure we should be talking about Winpatrol Plus on a freeware forum. Winpatrol Plus can be set to block changes to your system. I do have a life time license for Winpatrol Plus, am very familiar with its capabilities, and am fully aware that the program can be set to block changes to your system.

Mods, please feel free to remove this post if it is not appropriate for this freeware forum.

[Anupam]

Yep, we won't be allowing discussions on commercial software here. If that discussion is required, it can be done via PM. At present, its OK Taurus .

Regarding running without an AV, some people here have been doing that. But, the key software in that is Sandboxie. I think you should give Sandboxie a try, if you decide to be without an AV, or a firewall.

I would not recommend going without a firewall. If you think that the firewall you had was heavy, and cumbersome, you can opt for a lighter firewall, like PC Tools Firewall, or ZoneAlarm Firewall etc.

More people will chip in to this thread, who have been running without AV for sometime now, and give valuable suggestions .

[Taurus]

Quote:

Originally Posted by Anupam

Regarding running without an AV, some people here have been doing that. But, the key software in that is Sandboxie. I think you should give Sandboxie a try, if you decide to be without an AV, or a firewall.

More people will chip in to this thread, who have been running without AV for sometime now, and give valuable suggestions .

Yep, Sandboxie with Firefox or Chrome on a Limited or Standard User Account, and an occasional on demand scan with HMP or MBAM. And use an imaging program of your choice to back up your data and image your system partition.

I'm sure Bo, Blue, or J_L will be along with their input.

Oh, and thanks Anupam! You're always such a gentleman.

[blues]

Quote:

Originally Posted by Taurus

Yep, Sandboxie with Firefox or Chrome on a Limited or Standard User Account, and an occasional on demand scan with HMP or MBAM. And use an imaging program of your choice to back up your data and image your system partition.

I'm sure Bo, Blue, or J_L will be along with their input.

Oh, and thanks Anupam! You're always such a gentleman.

Well, I'm a bit newer to the team as far as not running a real-time antivirus is concerned but so far, so good.

In my view, Sandboxie does most of the heavy lifting due to the restrictions I impose on start/run and internet connections. I also take advantage of the "drop rights" feature (since I run as an admin).

Two other useful features are the files you "block access" to (for any program under Sandboxie's control) and the "read only" list.

Effectively, you can create a barrier by which malware shouldn't be introduced to your real system unless you download and install.

I have my "downloads" folder set up so that any executable would run sandboxed if started from within the folder (without my temporarily authorizing it or moving the app from the folder).

If you scan your downloads with an on-demand scanner, Jotti or VirusTotal you should pretty much have as much info as a real-time AV would give you.

And finally, I rely on HIPS alerts from Online Armor (free version) or notifications from WinPatrol (you can use the free version for this) to advise of certain changes to the system setup.

Works for me. Bo runs with a more streamlined setup than I do and that setup works well for him. I may end up paring down further as time goes on.

Like T mentioned, imaging provides a great safety net if and when all your best plans go awry. (And my thanks to him for helping me incorporate imaging into my own security setup.)

Hope that this info helps provide some further food for thought.

[Dikphy]

Quote:

Originally Posted by Anupam

Yep, we won't be allowing discussions on commercial software here. If that discussion is required, it can be done via PM.

Understood. I should have been conscious about the place. It's about freeware. Let me edit my post.

P.S. Not allowed to edit the post anymore...

[Dikphy]

Quote:

Originally Posted by Taurus

Mods, please feel free to remove this post if it is not appropriate for this freeware forum.

What a gentleman, there exists a role called mod-moderator I'm aware.

[Anupam]

Dikphy, don't worry, its alright in the present form . Rest I have written in the PM.

[Anupam]

Quote:

Originally Posted by Dikphy

What a gentleman

Yes, indeed . We have really good people on the forum, and it feels really good to share information with them. Some of them, as you already see, have been around for long, and know how this forum works. Its wonderful to have such good people here... and it all feels like a part of a big family.

[Taurus]

Quote:

Originally Posted by blues

I may end up paring down further as time goes on.

Hi blues. For heavens sake man, at least loose EAM. All you'll end up doing is resolving false positives for them.

You've got better things to do than that! Like mastering your imaging software and storage system. I do hope that is going well.