Comodo members' recommendations on securing your OS

Now, let’s start!

(Only complete instructions/lists) wanted.

:BNC

  1. Router ;D

  2. A good firewall - CFP 3, Online Armor (Paid or Free), Outpost.

  3. A good antivirus - Avira 8, Avast 4.8, AVG 8 (out of these 3 - AVG is the worst IMO, but some people like it) if you want a free antivirus.

Kasperky, NOD, BitDefender or some other kind you like if you want a paid antivirus

  1. Security Suites - Kaspersky Internet Security, BitDefender Internet Security or Eset Smart Security (Avira’s internet Security is good, but the firewall sucks)

  2. On Demannd Scanner - Super AntiSpyware, Malware Bytes AntiMalware or Spyware Terminator (SpyBot sucks) if you want free scanners
    Spyware Doctor or SpySweeper if ypu want good, but paid protection.

  3. Some kind of Virtualization Software :slight_smile:

A good antivirus - Avira 8, Avast 4.8, AVG 8 (out of these 3 - AVG is the worst IMO, but some people like it) if you want a free antivirus

you forgot to mention that avast is even more ugly than avira :slight_smile:

Best Fw: Comodo 3
Best Av: Avira
Best free Trojan Scanner: a2 free beta
lovely additional shield: BOClean

PS: You forgot to mention nLite / vLite…

:■■■■

n/vLite is not classified as security software. Then you should add that you need a safe browser (Opera, FF3) and BRAINS for safe browsing and downloading ;D
And I don’t agree with a2 being a best trojan scanner. I think it stinks. But ofcourse it’s better than nothing ;D

why do you think a2 stinks?

I got many FP’s while using it. >:(

BTW - avast’s default interface may be confusing and akward to navigate, but you can use skins or make the interface so simple that even a 90 year old grandma can easily find things ;D

n/vLite is not classified as security software

Haven’t tried vLite yet…

But, of course, nLite has to be classified as some kind of security software :slight_smile:
And brain 3.0 of course. :-TU
Don’t agree?

I got many FP's while using it.

Well, had one single fp in three years.

???

I don’t know how about now, but when I used it - it was bad :slight_smile: And It was ineffective too. It coudn’t delete anything it found on my sisters infected laptop (my sister used to infect her comp very freaquently in the past >:( ;D)

[1] router
[2] software firewall
[3] Antivirus
[4] Antimalware (realtime and on demand scanners)
[5] software patches (like windows update, apple software update and other program updates)
[6] prevention utilities (like mcafee siteadvisor, linkscanner, Verification engine)
[7] cleaner programs (like ccleaner, and other optimization tools)
[8] safe browser configurations
[9] limites user account rights
[10] Make regular backups (once a week)

Use your brains and your eyes ← USE THIS FIRST, IF FAILS STEP 1 TILL 10 CAN SAVE YOUR ■■■!

I’m going to have to agree and go with brains. That or the picture attached.

[attachment deleted by admin]

:frowning: hhmmffh >:(
these are my security set up:

  1. CFP 3 w/ defense ==>safe mode (:HUG)
  2. Avast 4.8 (:HUG) the gui sucks, i use spiderman skin btw ;D , i like the email scanner,webguard & the sound when it catch nasty ;D
  3. expired Dr.webCureit (:TNG)
  4. returnil, but never use it

At home I use a router, which simplifies a lot of blocking issues, and have a Linksys WRT54G with the very flexible Tomato firmware. But mostly I worry about using my computers with open wifi systems. I do a lot of sailing, and use whatever is accessible in various harbors and marinas. I spent 6 months cruising Mexico without problems, so am reasonably satisfied with my setup. Mostly use club or community or open wifi provided by the local sailors, other times of unknown provenance-all have wireless routers that you can’t trust.
So:

  1. A good firewall/HIPS system-I use Comodo V3 on my main Vista system, but am also beta testing Online Armor for Vista on my backup system. Both seem very versatile, although I have much more experience and comfort with CFP3. Never! Never! Never! trust anything you don’t really understand.
  2. A good antivirus, since I don’t believe users are constantly attentive enough to just use HIPS for everything. And the big “this is a virus, dummy” popup makes it easier to avoid the “Paris/Britney” sites. Avast 4.8 is my choice, and I have it set up to scan encrypted email, which I always use for privacy. And the anti-spyware/anti-rootkit is a plus.
  3. On demand scans of SuperAntiSpyware, since it’s free and easy to use. Have never found anything, though. Could easily live without it.
  4. Acronis True Image on a weekly basis, including redundant drives, one mostly offline to avoid disk destroying malware. All of the efforts to remove malware may only leave you with the restored hulk if you get infected, unless you have a way of getting your data back.
    I avoid suites, and feel much more comfortable with a “best of breed” approach that allows concentration on my specific concerns.
  5. Some miscellaneous stuff. Keep Vista up to date, including the malicious software remover tool, Windows Defender. Also use MVPS hosts file to avoid some malware sites, but mostly as an ad blocker.
    So nothing really unusual or complicated, in spite of the open wifi environment. But I am a relatively safe surfer, don’t play games, use P2P, or do a lot of other things that cause worries about inbound connections. Lots of good stuff out there to protect your system. And I have UAC turned off and am an admin always, count on tools and attentiveness instead. :slight_smile:
  1. hardware firewall
  2. software firewall
  3. ip hider
  4. internet encryptor
  5. antivirus
  6. antispyware
  7. antitrojan
  8. antispam
  9. sandboxer
  10. virtualizer
  11. backup
  12. disabling some services which increas your protection
  13. latest updates from microsoft
  14. using ‘limited’ user

That’s about all I think

Xan

Ordered by importance:

Not granting admin rights / root access / whatever etc. unless necessary, certainly not when surfing the web.



Firewall. At least incoming protection. If you don’t want outbound I guess it’s okay, if you really really want to disable even the Windows firewall so badly because you already have one in your router I guess it’s okay, 88) but one incoming firewall at the very least. That is if you don’t have one in your router and don’t want to install a third-party one like CFP, don’t you ever take the Windows firewall down, never.

Updates. Keep your OS and sensitive programs patched.


Antinasties. Whatever you call it, and as many as you want if they don’t conflict. Comodo BOClean is very recommended and will play along well with any “antivirus”.

Browser configuration / web shields / etc. Javascript etc. attacks entail little danger if any if you don’t grant admin rights, but this comes handy also for cookies, that is privacy.

Sandbox. If you really want to try something dangerous, or that you may want to reverse completely.

HIPS. Defense+ yay!

Etcetera. Feel free to be a geek, you only get to live once. (:NRD)

1- Use_Your_Brain.exe . Includes no_cracks.dll, no_nude_girlz_movie_really-an-executable.dll, no_obscure_antispyware.dll and more.

2-Use a Limited User Account (LUA)

3-Configure a System Restriction Policy (SRP)
( i used to favor SSM free, but in light of recent reading and discussion, SRP is effective and can be installed on XP Home as well! )

4-Optionally SuRun to easily elevate privileges when needed. To install programs, to run programs that require admin rights, etc.

5-stuff you like (eg. i like CFP without Defense+, and Avast or Avira).

In that order. 5 has a lower priority.

Pertinent links:

LUA advantages
http://blogs.msdn.com/aaron_margosis/pages/TOC.aspx

SRP configuration
http://www.mechbgon.com/srp/
Description

Straightforward guides:

SuRun: Easily running Windows XP as a limited user

Maximising Windows XP security with LUA and SRP

  1. Disable dangerous and useless services (Remote Registry, Messenger, Remote Desktop, Telnet etc.).

  2. Get a router with MAC-filtering, strong encryption and assign the IPs manually, so that you can disable DHCP.

  3. Get CFP 3 with Defense+ in Paranoid Mode, and the Firewall in Custom Policy Mode. Configure everything manually, and you won’t have to answer any alerts.

  4. Use a limited account if you want to. Only login to your administrator-account when you need to change the system time!

  5. Get an on-demand antivirus-scanner, and an on-demand antispyware/adware/whatever-scanner. Keep it updated and run a scan about once a month. Defense+ should handle everything, but if you download a file, you can always scan it.

  6. Get an antirootkit tool. Scan with it only if you suspect you’ve been infected with some unknown malware.

Cheers,
Ragwing

I have a checklist around here somewhere, in dire need of updating. Instead, here are a few things that are a little different from what has been mentioned.

  • In place of a router, run something like Smoothwall or IPCop or build your own from a *ix/BSD box.

  • Make sure your router has a real honest-to-$diety filter firewall. NAT itself isn’t a firewall. You need outbound port restrictions, at least. Outbound 25/tcp talks only to your upstream mail server. Outbound port 53 (tcp or udp) talks only to your upstream nameservers. That kind of thing.

  • Make the most use you can of NTFS file permissions. Turn off “simple file sharing”, and directly control the permissions on files, folders, and everything else. If you have a FAT32 filesystem, change over to NTFS or stay away from the Internet entirely.

  • Run as much as you can as a “Limited user account”. In particular, administrator accounts do not

[li]use email, ever

  • use peer-to-peer filesharing, ever

  • play any media acquired over p2p, ever

  • browse the web in any which way or form, except for doing updates from known sites
    [/li]

  • On XP Pro, make the maximum use you can of Group Policy and Security Templates. Although designed for a network domain environment, there is a lot that can be used to lock down the local machine by itself

  • If you’re on a LAN, make use of NAT/routers to compartmentalize machines so one part of the LAN can be protected from another part that somehow got infected. LAN cleanups are messy, and can kill a business

  • Again, if you’re on a LAN, have some kind of traffic monitor and running “snort”. Malware trying to call home may be your first, and sometimes only, indication that there’s a problem. If you’re not looking, you won’t see it.

  • If your hardware supports DEP, make the most use of it that you can

  • In Internet Explorer, change settings to the max security you can. If unsure, select prompt in place of deny. Use the Addon Manager to disable all those “helpful” toolbars and extra functions.

The current user attack vector seems to be the “iframe attack”. Legit sites (including your neighborhood bank or other financial institution) get one of their web pages compromised, and become a malware distributor. Running as a limited user and having locked down NTFS permissions may be the only thing that will save you. I got lucky, in that the antivirus caught it also. Even a black-helicopter paranoid like me will get the defenses tested, from the place you will least expect it. And you’ll never see it coming. If you’re curious, google for “MPack” and set your defenses accordingly.

  1. Router
  2. Use an alternative browser (firefox FTW)
  3. From this down KEEP IT SIMPLE
  4. Antivirus: NOD32, Avast!, Avira
  5. Antispyware: Spysweeper, Spyware Doctor
  6. Scanners: Spybot, ad aware, super antispyware
  7. First line browser protection: Spybot Immunize, and spyware blaster
  8. Brains