Roll your own Free Security Suite (advanced)
From CastleCopsWiki
| Caution | The article below is currently in beta and has not been reviewed for factual errors. |
This article is the "advanced" version of Roll_your_own_Free_Security_Suite and introduces the use of other advanced security applications beyond those mentioned in the basic article.
All of these items are selected from the Lists_of_Freeware_Security_Software, and while most of not main-stream (ie your grandmother has heard of it) yet, they are fairly well known among "those in the know".
Some can be used as replacements of entries in the original list, others are complements. While using such security applications will definitely provide greater security , there is of course a tradeoff in terms of user effort or convenience , user knowledge requirements, and sometimes computer resource use for the greater security.
Users who wish to use the recommendations in this article should keep that in mind. Please note that while the basic article , generally envisions the user using at least one (if not all) of the items under each category, for this article there is no necessity to use every single one of the items in each category. You could of course run one anti-rootkit, one anti-keylogger, one behavior blocker, one sandbox, one virtualization solution etc (on top of the usual antivirus/antispyware etc) - and some people indeed do that, but it is advised that newcomers exploring this brave new world of advanced security applications, should try one new application at a time, and only after they have proven stable to consider if they want to add another extra layer.
Some entries like Online Armor, Web root firewall, provide 2 functions in one (e.g. Firewall Plus HIPS).
Compared to the basic article, this article also chooses and recommends a wider range of software for each category to give users a bigger choice. The reason for this is that, many of these security programs tend to have a smaller user base, and while those selected here are known to be the most popular of the lot and are generally well-tested, many of them might not be stable on certain setups particularly given that many of these software (HIPS) hook deep into the system.
Vista users should also note that unless otherwise indicated, most of these applications (the free ones in particular) do not as yet work for vista.
Contents |
[edit] 
Anti-Virus, Antispyware, Antitrojans (supplement)
- Dr.Web CureIt! (on demand)
- Spyware Doctor Starter Edition (on access)
- Spyware Terminator (on access)
- Comodo BoClean (on access)
- Norton Security Scan (Special version from googlepack that cleans)(on demand)
- Prevx Computer Security Investigator(on demand)
Besides those recommended in the earlier roll your own article, the following also can be used either as a replacement, or as a complement.
[edit] Anti-rootkit
- DarkSpy (on demand)
- GMER (on demand)
- IceSword (on demand)
- RootkitRevealer (on demand)
- Rootkit Unhooker (on demand)
- F-Secure BlackLight (on demand)
- Panda Anti-Rootkit (on demand)
- Unhackme
- RegRun Reanimator (on demand)
Many antivirus like Antivir incorporate some rootkit scanning abilities. But as a second opinion the following on demand antirootkits can be used periodically.
[edit] Anti-keyloggers
- KeyScrambler (on access)
- Snoopfree Privacy (on access)
- PSM AntiKeyLogger (on access)
- Neo Safe keys (on demand)
[edit] Behaviorial anti-malware/Smart behavior blocker
The main disadvantage of security solutions like antivirus is that they are based on blacklisting technologies which scan the code of files looking for characteristic portions that identifies the file as a certain Specific malicious file. This presumes that the antivirus vendor already knows of the malicious file and has created a signature for it. This signature is generally flexible enough to detect minor tampering (simple minded hex editing of most sorts) and generic signatures can detect malware of the same "family". Antivirus heuristics, in general work similarly and are mainly an extension of the same idea. They try to detect code portions or other generic file characteristics that are generally indicators of maliciousness, allowing them to detect unknown samples.
However such code based scanning methods have huge limitations (problems against real time packers, code obscuration, metamorphic malware, high false positives rates etc).
To overcome these problems, one idea is to shift toward behaviorial based detection. Instead of scanning the code looking for malicious poritions (very difficult , consider that the same function can be written in multiple ways), we instead detect whether something is malicious based on their behavior, i.e what they actually do.
Proponents of this method, argue that there are actually relatively limited number of malicious actions, e.g a keylogger must log keystrokes, a email based worm will have to send email etc. But the main problem with this method is that it must allow the malware to carry out (or attempt to carry out) its behavior before it can stop it. This obviously involves a certain degree of risk, as it implies the malware is already run and it might be too late to stop the malware.
Some antiviruses (none of the free ones with real time protection) try to do this with the use of emulation/virtualization methods that try to 'run' suspicious samples in a limited 'fake' environment to see what actions . But such methods are computationally expensive.
Other methods to get around this problem involve, having a limited snapshot of certain areas (sensitive registry keys etc), so the behavior blocker can restore the system to before the malicious action is detected.
ThreatFire (formerly CyberHawk) is one of the freeware security software that uses behaviorial detection methods. It is considered suitable for less advanced users because unlike classic hips (see next category), it has a intelligent system that decides based on a sequence of events whether a certain process is being malicious. This is considerably less intrusive than standard HIPS that alert users based on individual changes.
[edit] Classical HIPS/Behavior blocker
ThreatFire (formerly CyberHawk) has many virtues, but there is still a limit to how clever the system can be.
As such, a very popular niche product is a class of software often called "classic hips". Unlike Threatfire class of products, which attempts to alert the user only when a certain process is seen as suspicious (typically after the process carries out a series of suspicious activities), these class of software merely informed users whenever a certain event (such as an attempt to change the hosts file, add a startup registry key, terminate another process etc) occurs.
The paradigm example of this is DiamondCS's processguard and system safety suite released in 1994. Today the most complicated HIPS such as EQsecure, Comodo Pro firewall 3 (which is not just a firewall) are extremely popular among control freaks, because they give the user almost complete control over their systems.
However, this security is based on the assumption that the user responds correctly to prompts. Different methods has being used to
Some good examples
- Comodo Pro Firewall 3 (includes firewall)
- Online Armor free (includes firewall)
- System Safety Suite free
- Webroot firewall (includes firewall)
- Dynamic Security Agent (Same as above without the firewall)
- Neoava Guard
- Winpooch
- Prevx (elements of behavior blocker)
[edit] Sandboxing
Sandboxing is a well known concept, that involves running suspect or suspicious processes in a safe box to restrict the range of activities they are allowed. This maintains system integrity by restricting the damage they can do if they turn out to be subverted.
They can be seen as classic HIPS but only for a subset of processes you choose to sandbox rather than monitoring every process on the PC.
Most commonly internet facing applications like email, Instant messaging, and particular web browsers (also usb drives) are sandboxed because most of the danger comes from these sources. A sandboxed web browser is the ultimate solution to drive by downloads or remote execution exploits because even if they do run, they can only affect the browser and can't spread to the rest of the system.
Unlike classic hips Sandboxes traditionally do not popup and allow the user a choice to grant privileges to sandboxed process, instead they silently block the action from occurring. This makes it very suitable for use with users with little knowledge and is far less intrusive of course.
There are generally two types of sandboxes. Policy based Sandboxes like GesWall, generally work as explained above. However, in the above scenario of the web browser with driveby downloads, while the policy based sandbox will prevent any damage to the rest of the system, the browser will still be infected. In other words, while the malware is restricted when running and hence fairly harmless even when running it still exists as a binary file on the system. The user must hence wipe out the infection manually by deleting those files.
A much more popular Sandbox method involves combining sandboxing with virtualization. The idea here is that not only are processes running in sandboxes limited in what they can do (to ensure they don't break out of the sandbox and subvert the system), even the file and registry changes made by such sandboxed processes are "virtualized".
What this means is that such changes are not permanent, they are tracked/re-directed by the system , so the user can choose to wipe out all such changes, or "Reset" to clean state with a click. In the above scenario, the user with the infected browser, can simply "empty the sandbox" and his browser will be back to it's original state.
- SafeSpace Personal Edition
- Sandboxie
- GeSwall
[edit] Virtualization methods
While Sandboxes are very handy, they are generally less useful when the user wants to install and try out a new program. While some simple applications might work when installed in sandboxes with virtualization, a lot will not because they require extra previlages that no sandbox will allow.
So what do you do if you want to run some program that you are not sure of and it won't run in the sandbox? This is where full virtualization comes to play.
You can use Retunril virtual system to enter into "virtual" mode. In that state, any further file and registry changes made by any and all programs will be temporarily stored and will be discarded completely on reboot. This can also be seen as a quick form of disk imaging/backups. Windows Steady State is similar but it allows you to carry virtual changes across reboots but at a cost of much slower startup times and more hard-disk space requirements.
However while the fact that you can quickly restore completely to a preinstallation state is useful if the install turns out to be bad, you are not completely covered. A malware could for example steal your passwords and send it out to bad guys, so the damage is done even if you could quickly restore to a clean state.
Another option would be to run in virtual machines. Virtual machines use software methods to simulate completely new machines. You can then run these new programs in these virtual machines. This is highly secure of course, because programs running on the vm are almost completely isolated from those on the "real" machine.
- Returnil Virtual System Personal Edition
- Windows SteadyState
- Virtual PC2007
- Virtualbox
- Vmware Server
[edit] Firewall
- Comodo Firewall
- Online Armor Free Edition
- PC Tools Firewall Plus
- Webroot firewall
[edit] Misc
Bold text
