Warren said:
have any of you ever used windows live onecare...a waste of $50.00. Now i
know why they are discontinuing it. it finds NOTHING and i have to run
antispyware and antimalware to keep my pc clean. please suggest the best
free protection for my machine since i won't be using this one anymore.
Basically what you are really asking is what other users are currently
using. Even after trialing several products and users deciding what they
like best, you are still going to get responses that reflect what users have
chosen as their current security suite. So, with that in mind, here is my
setup:
- Avast! 5 (fully operable so using its on-access scanner).
o Free version.
o Not all "shields" are installed since I don't need them (I don't use
prattle IM clients or P2P file stealing) or they can be problematic
(like timeouts due to delays in e-mail traffic from the scanning). I
only installed the following shields:
* Web shield (with intelligent streaming disabled)
* Network shield
* File shield
o Prior free versions only let you do a quick scan (ashquick.exe) that you
could schedule in Task Scheduler. V5 lets you add a schedule to both
the quick and full scans so, for example, you could quick scan on
Mon-Sat and full scan on Sun.
o Unlike Avira, Avast lets you schedule how often to check for updates
with a single setting. With Avira, you will need to add more scheduled
jobs that do an update check (recommended since the free version of
Avira hits the same server for all users which makes it busy and it
could be 3 days before you get an update if you just go with the default
1-per-day update scheduled job).
o The free version of Avira does not include their web shield. Avast
includes their web shield in their free version.
o Avira free version does not include the e-mail scanner (but often you
end up having to disable it for other AV products due to the problems it
creates).
- MalwareBytes AntiMalware
o Free version.
o Does not include an on-access (real-time) scanner. This is actually
desirable to avoid conflict with whatever is your AV program of choice.
o There is no option to check for updates before running a manual scan.
The update dialog is also on a different tab. Be sure to do an update
before you run a manual scan.
- SuperAntispyware
o Free version.
o Disable the on-access (real-time) scanner. Used only as an on-demand
(manual) scanner to avoid conflict with other security software.
o Be sure to update before scanning. It has an option to ensure checking
for updates before you run a manual scan.
- WinPatrol
o Free version.
o Does not include an on-access scanner.
o Polls at intervals for changes to system to alert on critical
modification.
* Change the default poll interval for all monitors down to 1 minute.
Waiting 5 minutes to find out something changed is too long.
- ReturnNil Home
o Lets you make changes to your system which are obliterated when you
reboot (or you can choose to keep the changes).
o Any install that requires a reboot would be obliterated if ReturNil were
active since it discards all changes made to the virtual disk (so
ReturNil is not useful for any install that requires a reboot - instead
use a virtual machine, like VirtualPC 2007, VMware Server, or
VirtualBox).
o Can be configured to activate on Windows startup. Handy when giving a
host to kids or strangers since a reboot wipes everything they changed.
o Microsoft's similar product is called SteadyState.
- SpywareBlaster
o Free version.
o No on-access scanner (this product isn't potent enough to use for
real-time scanning, anyway).
o Usefuleness lies in adding ActiveX killbits in the registry to prevent
known malware from running. This is passive but always-present
protection.
o Can add "bad" domains to Restricted Sites security zone to neuter them.
* This does not prevent sites from relaying content from those bad
sites. It merely disables many HTML features if and when you visit
those sites.
o Can add "bad" domains to the cookie blacklist in the web browser.
- Virtual Machine (VM)
o Free version(s).
o VirtualPC 2007 (have also used VMware Server and VirtualBox in the
past).
o Provides isolation of an application by running it inside a guest OS
instead of on your host OS.
o Legally you will need another license of Windows if you want to run an
instance of it in a VM.
* Windows 7 comes with XP Mode which is a licensed copy of Windows XP
SP-3 (but which is legal only under that instance of Windows 7 so
there is no portability). You install XP Mode (since Microsoft didn't
include it as an install-time option) and follow with an install of
VirtualPC.
o VM is more protective than using a sandbox (e.g., Sandboxie) to isolate
an application. They make an excellent environment under which to test
unknown or untrusted software.
* With the effort and side effects of using a sandbox, the setup and use
of a VM is no more difficult than a sandbox but a VM affords more
isolation.
* Sandboxie is probably the only currently support (and least flaky)
sandboxing program available.
- The free version turns into nagware after the 1-month trial period.
- The free version does not have the option to force every instance of
a program to get sandboxed, like a child process for a web browser
started by clicking on a URL link in a message in an e-mail. Only
the paid version has the force option. By reducing privileges on
normal Internet-facing apps and using a VM as a test environment, I
get covered on lower and higher levels of isolation that what is
afforded by a sandbox.
- Of course, with a sandbox, you don't need another license for
Windows to run it inside a VM.
- PC Tools Firewall Plus
o Free version.
o Includes both firewall (with rules for which apps are allowed to connect
to the network) and HIPS (Host Intrusion Protection System) which are
rules as to which apps can even load or what actions they can perform
with other apps.
o Includes a whitelist of known good apps to reduce the number of prompts
to the user to make a decision.
o Alternatives are Tall Emu's Online Armor and Comodo Firewall (both are
firewall + HIPS).
* Online Armor has its Run Safer feature which can force apps, like the
web browser, to run under reduced privileges (same as if you had
logged under a limited user account). Running an app under a LUA
(limited user account) token restricts what actions a malware can
commit if its infection vector is through the restricted app (web
browser, e-mail client, newsreader, or other Internet-facing app).
* Comodo Firewall has its sandbox (which is not a full sandbox but still
provides some isolation). You can add an app, like the web browser,
to the sandbox but disable file/registry virtualization to only force
that app to run under a LUA token. (Note: Comodo still needs to work
on their sandbox as it is still to flaky in its operation.)
* Both Online Armor and Comodo include whitelists of known good apps.
o Unlike Online Armor but like Comodo Firewall, PC Tools will will let you
specify rules as to WHERE an app may connect.
* For example, you may want an app to phone home to check for updates
and nuisance you with alerts that a new version is available,
especially if you have already tested that new version and have
problems with it or otherwise decide you don't want it. But you could
let that same app connect everywhere else.
o All firewall+HIPS products suggested here:
* Can be quickly disabled by right-click on their tray icon. For
example, you will need to disable them when visiting the Windows
Update site so you can install updates to Windows or Office.
* All these products are at the top of Matousec's list of best
firewalls (
http://www.matousec.com/).
o While both Online Armor and Comodo Firewall have the means of forcing
the web browser (or any app) to run under a LUA token (to reduce it
privileges and throttle any malware through that infection vector), PC
Tools is lacking in this feature. See the next point about using SRPs
to restrict applications.
- Software Restriction Policies (SRPs)
o Every version of Windows from XP and on up (not sure about 2000) can
have an SRP rule defined to restrict a program. The available choices
for a security level in an SRP rule are:
* Unrestricted: App runs at the same privileges as your Windows account.
* Blocked: App is never allowed to run.
* Basic User: Available in Windows Vista and up, hidden in Windows XP
but can be added via a registry edit. Restricts the program to run
under a limited user account's privileges.
o By using an SRP rule to force a program to run under an LUA token, you
get the same benefit as Online Armor's Run Safer option or Comodo's
firewall with its sandbox (but with file/registry virtualization
disabled for that app). So I can combine PC Tools Firewall Plus with
SRP to give me the same functionality as, say, Online Armor with its Run
Safer option but I get better detailed control in PC Tools firewall
rules than I do in Online Armor's firewall rules. I have several
outstanding problems with Comodo Firewall (see their forums by searching
on my moniker there) and why I don't use that product.
o SRP is available already in Windows and requires no addition software
installation from 3rd party vendors.
o You can still run the app without restriction. SRP path rules are based
on, yep, the path you specify to the program so the same executable in a
different path won't have that SRP rule applied against it.
o How to setup an SRP rule (and how to get the Basic User security level
added to Windows XP) is too lengthy for this already long post. If you
want more info on using SRP that is part of Windows, ask for more info
and I can spew out my canned response.
- GeSWall (isolation + policy enforcement)
o Free version.
o Only isolates web browsers and some prattle (IM) clients.
o Is not a proper sandbox but does provide some virtualization to isolate
an application.
o Instead of using Windows' privileges assigned to an app, it enforces its
own access control rights on the isolated app.
o I don't currently use this anymore because it can get in your way too
much. It can interfere with the functions of an app. It is designed to
be transparent but isn't quite invisible. I would still be using
GeSWall except for the interference it has in how an app can operate.
o More restrictive in its policies than those afforded by using an SRP
rule.
o Tracks any downloads using the app (web browser) to make them run
isolated, too. When you run the downloaded app, you have the choice of
running it isolated or unisolated (so an install you download can
actually do the install to your host if you opt to do so).
o Easy switch an app from isolated to unisolated. A "G" icon gets added
to the titlebar of the isolated app. If you want to run it unisolated,
click on the G and select to restart as unisolated. A bit easier than
having to right-click on a tray icon to disable all protection,
especially when you only want one instance of the app to be unisolated.
o Does NOT prevent malware files from getting deposited onto your host.
Only prevents them from committing their malicious action.
o Between having an anti-virus and firewall+HIPS security software, VMs,
and SRP rules, GeSWall becomes pretty superfluous. It's when you don't
have all those other techniques that GeSWall will shine.
)