Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, October 8, 2008

Security software

Source
Security Software categories:
  1. Anti-Virus
  2. Anti-Trojan
  3. Anti-Spyware/Malware
  4. Firewall
  5. SandBox/application monitoring (HIPS)
  6. Process related (process to port mapping)

  Other security softwares
  Conclusion

The purpose of this page is to give you an example of a complete set of security softwares, to give you an idea as to how to secure you.
Ok. let's start, i assume that if you have reached this point, you have already read and applied windows security tips given in the advices area.

Main security software categories for home user :
  * Anti-Virus
  * Anti-Trojan
  * Anti-Spyware/Malware
  * Firewall
  * SandBox/application monitoring (HIPS)
  * Process related (process protection, process to port mapping)

Additional security software categories i won't talk about :
  * Data Encryption (Files, network)
  * Privacy management

(there are more, but i want to focus on the main ones. I know some could say that to talk about a minimum security to have without talking about privacy is idiot, but if you follow the software set above, your privacy will be indirectly safe, of course you can still add privacy related softwares.)

1 - ANTI-VIRUS Probably with the Firewall categorie one of the most controversed topic, about which is good and which not, and why. I just recall to the reader that i give an example, a good one, but not necessarely the best.
Their are so much viruses/worms in the wild that an AV is absolutly needed nowadays, it's a bare minimum to have. I have tested Kasperky, NOD32, Norton, and AVG.
If you want to check an independant AV testing website, check out
http://www.av-comparatives.org


I advise NOD32, or KAV 6.0
NOD32 has one of the best Heuristic module, which means that it performs very good at detecting unknown viruses, not yet added in any AV signatures base. It is also very light on ressources.
NOD32 : http://www.nod32.com/download/trial.htm


KAV 6.0 has probably one of the best detection rate (known viruses), and Kaspersky Lab is very quick at submiting new AV signatures when new viruses/worms are detected in the wild.
(KInternetSecurity 6.0 has the same GUI than KAntiVirus 6.0)
Moreover, KAV 6.0 includes the firewall leak tester awarded 'Proactive Defense' technology (that you can choose to not install if you wish installing the AV part only).
KIS & KAV 6.0 : http://www.kaspersky.com/

2 - ANTI-TROJAN Trojans can be more dangerous than a virus, while this one can destroy your files or altered them, a trojan can give a full access to a remote intruder who can do what he wants on your computer, in fact, he can do all you can do, he can find all your private and sensitive information.
In the worst case, you computer can be turned in a "zombie", attacking target without your knowledge (e.g. Microsoft), and only making you visible (appear as the attacker) hiding the true one, the cracker.

I advise
Ewido
Ewido 4.0 is in beta stage for now...
Ewido is now part of the AVG Technologies family of world-class
Anti-Virus and Internet Security products. ewido users will benefit
from AVG's comprehensive threat research and support resources.
Look for more on AVG:
AVG Internet Security
Anti-Virus, Anti-Spyware, Anti-Spam, Web Protection & Firewall
Comprehensive protection for your computer! AVG ensures your safety
while you search or surf the net, download music, documents and
pictures, send emails or instant message by scanning documents, files,
Web pages and Web links before you open them. AVG Internet Security is
a reliable and easy-to-use solution for home and small office users.
Unique Internet security thanks to new technologyOnly AVG gives you real-time protection against malicious websites thanks to our new LinkScanner technology.

There is still techniques from the malware side to try fighting generic unpacking and emulation, if this subject interest you, you can read the following article :
http://scheinsicherheit.pytalhost.de/decompdelay.htm

3 - ANTI-SPYWARE/MALWARE Spywares are a recent annoying kind of threat, their purpose is to advertise you, by all the way possible (to make you go on a website, about different subjects, to the most simple like to buy a car, to the worst like porn website, a threat for your childs). To do that, they show you popups, redirect your surfing at an unexpected website, hijack your softwares (mainly your browser, mail client, instant messaging client), and write registry entries.
All of that leads often to privacy leaks (retrieve information about you to the authors) system stress (CPU & Memory consumption), and surfing/playing annoyances (bandwitdh consumption).

The two most well known Anti-Spyware are SpyBot and Ad-Aware.
I talk about "Spybot S&D 1.4".
Spybot is well known on the anti-spyware scene, and does it's job very well.
Spybot provides an-demand scanner, and a resident protection called "tea-timer".
One interesting feature is the IE "Immunization", described in the help file :

The permanent immunity works on some Internet Explorer control options that are partly visible in the Internet Explorer interface, partly hidden in the registry only. It adds domains known to contain bad contents into the Restricted Zone, thus blocking installation of executable code from those pages; it also adds block options for bad executable code by its ID, and it sets known tracking cookies to not be accepted by Internet Explorer.

To cut it short: it modifies Internet Explorer, through official ways, to block a lot of the bad stuff known to Spybot-S&D.
Download link:

safer-networking.org

4 - FIREWALL Ouch, the hot topic.
A "firewall" is not the same thing for everyone, so hard to tell you "the best" (i can't).
A basic firewall, as it used to be, is a vanilla packet filter, which mean that it checks rules (ip adresses, ports, protocols) and allows traffic or drop it. Nowadays, Windows home users needs have evolved, and so, firewalls too. Now, their are firewalls which handles websites cookies, emails spam, websites popups, bandwitdh throttler, port to process mapper, and most include outbound application filtering (their are other features like plugins, etc...)
Because everyone's needs is different, a "best" firewall can't be chose.

Note : on this website i'm talking about leaktests, so about outbound application filtering. Thus, the "score board" does not show good and bad firewalls, only good and bad outbound application filtering (a firewall is more than that, but it's an important part ).

I will talk about firewalls like softwares able to allow/block inbound/outbound network traffic, and have an outbound application filtering.

i advise "Look'n'Stop 2.05".
(their are a lot more like ZoneAlarm, Outpost, etc...)



LNS uses very little ressources, what it mean that it won't slow down your computer or your surfing.
It has the application filtering (one of the best) and the network filtering splitted, which mean that someone behind a NAT router (with a firewall integrated and well configured) can only use the application filtering without to bother to deal with the network filtering (that he can disabled).
For others without routers, LNS provides you preconfigured set of rules to avoid you to waste time to setting it up.
Their are advanced rules to really make you invisible to scans.
If you are concerned by web's threat management by your "firewall", norton could be good despite of his bad application filtering and his "ressource hogger" behaviour.
Look'n'Stop website

5 - APPLICATION MONITORING This approach is very interesting and very effective, if you can't fight all known and unknown threats, the most effective is to prevent threats to load, simply.
Because basically even the most sophisticated threat is just an executable, monitoring executables launching on his system is a strong additional layer of security.
A real "SandBox" software (or HIPS, stands for Host Intrusion Prevention System) will write a list of trusted executables (BlakIce for instance checks all your system executables to the setup) and will block the launch of any other applications.

I advise Ghost Security Suite 1.110 from Ghost Security

Also take a look at the
firewall leak tester awarded 'Proactive Defense' technology, part of KAV6 and KIS6.



Ghost Security Suite includes two softwares in one, AppDefend & RegDefend. You can choose to buy or install either part alone, you are not required to install the suite.

RegDefend is a kernel registry protector, it intercepts read/write access to the registry and allow/block/ask depending of the settings. It can so prevent a malware from writing an entry in the "Run" registry key, thus preventing it to automatically run at each startup. Registry parts to monitor are completely customisable.

AppDefend is a "sandbox" or HIPS software, it is a system monitoring software, allowing the user to watch application activities, and to allow or block what he wants to. From AppDefend forum, below are the threats that AppDefend protects against :
Network access, Process creation, Process execution, Global Hooks (DLL injection / Keyloggers), Process/Thread suspension and context modification, Virtual Memory modification, Remote Thread Creation, Physical Memory access, Termination of threads and processes, Rootkit installation methods.

The Proactive Defense included in KAV 6.0 or KIS 6.0 can globally do the same, except for process termination. On the other side, the Proactive Defense can detect invisible processes, hidden from the task manager by a rootkit driver. Both products have overlaps, but also have complementary features.
By configuring both correctly, it is possible to run them concurrently, and to gain a very strong security layer.
Download links :
Ghost Security Suite
Kaspèrsky AntiVirus

6 - PROCESS RELATED In this area, i will talk about 1 kind of software :
* process to port mapping
The "process to port mapping" means that you can trace which process is using which port, which protocol, is connected to which IP adress, etc...
By being able to see your system connections states, you are able to detect by yourself trojans, spywares, or worms.
Because sometimes you can allow a software to run, and then allow it to connect to the internet to do one action, but because sometimes you are not sure if you can totally trust it, with a process to port mapper you can see excatly what it does.

There are several process to port mapper out there, not one relying on the same method to detect _accuratly_ processes and ports, some are slow, others innacurate.
The best i have ever seen is "Port Explorer" 1.800 from DiamondCS.



This security software provides usefull tools to analyse processes and their network's connections. You can choose one line and to terminate the process, or let it alive but preventing it just to send data (but letting it to receive), or preventing it to send and/or received data, you can spy what a process send/received with a built in packet sniffer, you can restrict bandwitdh a process can use (for instance block it to 5Kb/s max), and you can do many other things like whois/lookup etc...
An intesresting feature is that Port Explorer will let you see possible suspicious processes by highliting them in red, such processes have one or many sockets belonging to them, but hasn't any windows displayed (like trojans does). Of course a simple Instant messaging minimized to the systray will be in this case, but a trojan too... it allows you to quickly see suspicious processes.
At the end, the display is totally customizable, you can choose all colours, and choose your language between : Dutch, English, French, German, Italian, Portuguese, Spannish, and Sweddish.
To test it or buy it

Other security softwares :

With such softwares installed and _properly configured_ your computer is turned on a heavy fortress. Of course it asks time, personal investigation, and money... but these softwares really worth it, atleast try them.

For those who want more choice, as a quick example, an other software set could be : Kaspersky, BoClean, Spybot, Outpost, Abstrusion protector, Port Explorer, ProcessGuard, even if there is in this list softwares that don't have all the features of those i chose.

You can try to improve even more your security by doing data encryption or by adding specialized privacy related softwares, but i stop here because all software shown are sufficient to provide you a strong security.

Conclusion :
If everyone was educated to the security, worms and viruses would fall down in the dark and we would never anymore heard of them.
It has nothing to do with "IQ", but with education, you don't know that you have to do something until you learn it from your mistakes, or from someone else.
I know, sadly, a lot of friends who never update Windows and doesn't have any security related softwares, sometimes just an Anti-Virus outdated, don't wonder how worms can spread around the world, it's all about education.

After many years of studying security, I have noticed that threats level has "jumped" when the Internet has became ordinary at home, when high bandwidth connections started to be available at low prices for everyone, when it has became a fashion.
Which wasn't important before that, all security stuff, is nowadays a must to have.
For proof, just format and install Windows, connect to the internet, and you will be infected by a worm in 10s or less, it would have sounds unbelievable there are few years.
The internet isn't anymore a game place where you can go on gaming sites, forums, looking at beautifull wallpapers, and listen music and enjoy with all entertainments... users have now to understand real risks they can encounter, they have to bother with security (i say "bother" because i know people not enthousiasm to do that) _before_ their personal entertainments.

So, keep using best guidances, install a security software suite and understand it, keep going on security forum to be aware of lastest threats, and you will see that to have a safe computer never hurted by malicious threats is possible, but only possible if you want it.

No comments: