CF with CS - Good Enough Alone?

[mekelek]

thanks but which I have to download I actually want a free version without firewall

you download the usual installer then deselect the modules you don't want to install.
be prepared, the UI is not user friendly and in some cases can bug out (like it did on me)

 

[mekelek]

I have said this very same thing many times in the last few years, and it gets over looked every time, as if it does not sink in fully.

It was rare, that a sample bypassed UAC and Smartscreen in all the testing i did, i almost always had to allow them through.

how would you not look over UAC when it pops up every time something opens? it can't be used as an indicator to spot something malicious.
and smartscreen only works on executables downloaded straight from the internet..

 

[illumination]

how would you not look over UAC when it pops up every time something opens? it can't be used as an indicator to spot something malicious.
and smartscreen only works on executables downloaded straight from the internet..

Using UAC is no different then using a product that prompts the user for choices. It intercepts, and you have to determine. UAC also has different presented formats/prompts, not just would you like to allow this.

If you would like to see something you would not expect, place UAC at max, windows defender on, download a pack from the Hub, and open it, then launch what is left, and tell me if Smartscreen intercepts. If you really want to test it, go to Hybrid-Analysis or similar site and download each sample one at a time with all enabled. Use MS Edge as your main browser while doing so... Should be interesting the results you find. I have done it many times, and have seen serious marked improvement over time.

As you stated, the mark of the web, certainly helps the chances of them being intercepted, it also happens to be the most common method of downloading and executing any applications for common users.

 

[Deleted member 178]

If you're using Comodo FW it makes zero sense to disable WD to install a third party AV. WD will do the job nicely and CF will take care of everything else. WD tweaked+ Windows 10 mitigations is pretty powerful so adding CF is a rock solid setup.

i totally agree.

If someone only want a Sig AV to complement CF why disable one that's built in and doing very well in tests just to install a third party AV?

exact unless they look for a particular feature.

Add to that the fact that on most test I see people have to allow malware past both UAC AND Smartscreen before they can even test third party security and I think that makes the case for WD+ All of Windows 10 security features +CF a pretty strong one.

Even "professional" test labs disable UAC and Smartscreen, if they don't they can't "sell" you their results.

It was rare, that a sample bypassed UAC and Smartscreen in all the testing i did, i almost always had to allow them through.

yes i remember a cool video where the tester ( a good buddy of mine) let those enabled, the tested product had almost nothing to do , all was blocked by UAC/SS.

 

[Chimaira]

i totally agree.



exact unless they look for a particular feature.



Even "professional" test labs disable UAC and Smartscreen, if they don't they can't "sell" you their results.


yes i remember a cool video where the tester ( a good buddy of mine) let those enabled, the tested product had almost nothing to do , all was blocked by UAC/SS.

DEP enabled for all programs, Hypervisor enabled Code Integrity with DMA, Secure Boot, Credential Guard etc.

Require trusted path for credential entry enabled.

All this running on a SUA + the before mentioned hardening tweaks for Defender.

Yes I'd say no need for 3rd party AV.

 

[simmerskool]

Forticlient - Next Generation Endpoint Protection

suggest you also download the administration guide pdf. I'm finding it helpful.

 

[simmerskool]

I just installed forticlient 5.6.6.1167, just the webfilter. seems to play nice with other security apps seems not to slow down browsing and it did block a webpage, which I found curiously interesting and digging deeper into that one as it was not expected. Plus the newer extensions for chrome. Almost feels safe

 

[codswollip]

If the AV does not detect it, how can I know if the file that runs inside the sandbox is malicious?

To which I would ask... if the AV does detect it, how do you know it's not a false positive... See what trouble you've gotten yourself into? CS said it best...

You don't. But you must assume (unless you are a Super-geek) that it MAY be malicious and just trash it. Taking something out of the Sandbox without extensive research is just like disregarding an AV alert that a file is malware.

 

[128BPM]

To which I would ask... if the AV does detect it, how do you know it's not a false positive

mmmm I guess if more than 3 respectable AV engines detect it, then I assume it's malicious.

 

[codswollip]

mmmm I guess if more than 3 respectable AV engines detect it, then I assume it's malicious.

If you know that all three detected it, then sure maybe... but most AV's with multiple detection engines throw an alert if any of the engines find fault, and you generally are not informed which engine(s) alerted and which didn't unless you dig more deeply, or submit to VT.

 

[Cortex]

Use it with Emsisoft - & HMP.Alert (erm & AdGuard, maybe sometimes ZAM) I do worry a little as when I'm away as others use this (my) PC & are they not very security conscious -

 

[cruelsister]

I guess if more than 3 respectable AV engines detect it, then I assume it's malicious.

This is an important comment! The issue here is that one can infer that if either 2 or 1 or even 0 scanners showed a file to be malicious it must be good, right?

Obviously this is far, far from the case, and is the major weakness in the traditional AV. Most professional malware authors know that, as a rule of thumb, that a true Zero-day file sent out to the masses will have an initial detection by some scanner at the 12 hour mark (and at this point in time a respectable Blackhat will morph the original and send it out again).

Even worse a more targeted malicious file may go undetected for weeks (remember CCleaner?) and malware sent to a single organization can get past security protection for many months (like the Scriptors used in the Target and Home Depot breaches).

So although VT results are fun to watch and one with frequent use can see which vendors react the quickest (and those that do not react at all!) to new malware, one does not know the timeframe between initial malware release and initial AV detection.

 

[bribon77]

Well here with the configuration of the cruel Sister. You have to have clear concepts. For example, "I will not install anything that is not necessary and that is a program known as good." In this way, it is difficult to infect with a zero day. and of course, signatures are still necessary. Why do I know that I am clean if it is not for the signatures of AVs?
If you want to try a new program, use Shadow Defender.

 

[ForgottenSeer 58943]

the first version 5.6 I am under windows 10

FortiClient has no true firewall, the firewall would be the FortiGate. Without a FortiGate you won't have a traditional firewall and Windows Firewall will be left running. It has an APPLICATION firewall, which is different, it's an application control firewall that gives you granular control over applications and their activities.

That link is correct.

 

[Nightwalker]

Well here with the configuration of the cruel Sister. You have to have clear concepts. For example, "I will not install anything that is not necessary and that is a program known as good." In this way, it is difficult to infect with a zero day. and of course, signatures are still necessary. Why do I know that I am clean if it is not for the signatures of AVs?
If you want to try a new program, use Shadow Defender.

Good comment, I second that.