Advice Request CIS 10 Config: Default or Proactive?

[shmu26]

the explanations offered were a bit cryptic, but the consensus seems to be that proactive config has some nice security features
Nevertheless, many users are happy with firewall config.
So at the end of the day, it's a matter of personal choice.

 

[vivid]

How do you know all this staff??

experience.

 

[vivid]

the explanations offered were a bit cryptic, but the consensus seems to be that proactive config has some nice security features
Nevertheless, many users are happy with firewall config.
So at the end of the day, it's a matter of personal choice.

Not really that cryptic (to me). If you have any other question, I'll try to answer. I can also prove what I write.

 

[Rengar]

Not really that cryptic (to me). If you have any other question, I'll try to answer. I can also prove what I write.

I have a question @vivid : i downloaded CIS version 4 on a VM and i run some ransomwares. Also the product couldnt take updates due to the fact that is pretty old. Apparently the auto sandbox blocked all the malware. How do you explain that?

 

[vivid]

Sure. Make sure that you run the sample(s) after CIS GUI is launched. (if you're considering version 10)

 

[Rengar]

Sure. Make sure that you run the sample(s) after CIS GUI is launched.

yeah but how do you explain the fact that a prehistoric version of CIS without updates blocked new ransomwares???

 

[vivid]

It depends. Just to make sure : are you saying version 10 did not "block" it?

 

[Rengar]

It depends. Just to make sure : are you saying version 10 did not "block" it?

No. Im saying that i downloaded CIS version 4 which is an OLD version and cant be updated. But auto sandbox blocked ransomwares.
And im asking you: how?

 

[Davidov]

I have a question @vivid : i downloaded CIS version 4 on a VM and i run some ransomwares. Also the product couldnt take updates due to the fact that is pretty old. Apparently the auto sandbox blocked all the malware. How do you explain that?[/QUOTE cis 4 or 10 AutoSandbox works just the same and unknown things start up in the sandbox because it is also a zero day protection. In this case sandboxed cryptolocker it's still just a program code.

cis 4 or 10 AutoSandbox works just the same and unknown things start up in the sandbox because it is also a zero day protection. In this case sandboxed cryptolocker it's still just a program code.

 

[Rengar]

So it doesnt matter if is an old version, the auto sandbox will catch it all i guess??

 

[vivid]

If I remember correctly, (with version 4) Sandbox is focused on restriction and not virtualization. I'm not surprised that version 4 is decent. However, version 10 is better from prevention of view. This discussion is similar to why protection scores are better with HIPS and protection scores are lower with Sandbox.
Another point (which is probably an advantage compared to version 10) is that older versions employ execution control. That way, you have HIPS capabilities designed for insecure DLL loading and other examples. This feature was removed with newer versions along with buffer overflow prevention (not really removed but design was changed significantly and it doesn't do what users expect; it should be renamed in my opinion). Given explanation on why they removed is that it caused trouble. Execution control was really nice for HIPS power users.

 

[vivid]

So it doesnt matter if is an old version, the auto sandbox will catch it all i guess??

Version 10 is way superior compared to version 4 in terms of auto-sandboxing.

 

[Davidov]

So it doesnt matter if is an old version, the auto sandbox will catch it all i guess??

Of course, it is better to get the new version is optimized for the new systems and corrected some old bugs

 

[Rengar]

Version 10 is way superior compared to version 4 in terms of auto-sandboxing.

Of course, it is better to get the new version is optimized for the new systems and corrected some old bugs

Thanks and of course i will dont download and older version, i download version 4 on VM just for testing nothing more

 

[shmu26]

the autosandbox function does not need updated sigs to work. It will block by default anything that does not appear on the whitelist, no matter how old the whitelist may be.

Only the AV component needs updated sigs in order to work right.

 

[cruelsister]

Shmu- About the configuration difference between Firewall Security and Proactive Security: it's kinda-sorta both complicated and boring to get into, but as a rule of thumb if you use the default Firewall Security config you MUST keep the HIPS on, even with the sandbox at the max. With Proactive this is not the case.

I'll be (finally) releasing a CF10 setup video on the 28th and have included a malware file that I coded which should make this point rather clearly.

 

[radek178]

T The really important thing to do is enable the sandbox at either the Restricted or Untrusted (if you are an old hand) level. If you really want to have an AV, go with something like Qihoo or Avast for local scans.

I have a question. My English is not good, I am sorry. I have win 10 64b, CF 10 and I use settings for sandboxed files as UNTRUSTED. How difference is between RESTRICTED and UNTRUSTED? I have HIPS ON.

And another question is about AV. I want use some AV solutions. I used Avast with CF 8 and I had some problems. I switched to Quihoo but there are other problems - Quihoo does not work properly under user account. I need some AV for my Win with CF 10.

And latest question is about possible conflict between HIPS from CF and Avast. Will be work without problem or how settings can I use?

 

[shmu26]

try Avira
or bitdefender free

I use avast free with CFW 10, no conflicts.

 

[Davidov]

Shmu- About the configuration difference between Firewall Security and Proactive Security: it's kinda-sorta both complicated and boring to get into, but as a rule of thumb if you use the default Firewall Security config you MUST keep the HIPS on, even with the sandbox at the max. With Proactive this is not the case.

I'll be (finally) releasing a CF10 setup video on the 28th and have included a malware file that I coded which should make this point rather clearly.

Already it's waiting .-)) (Perhaps there will be some configuration that we forget good day.)

 

[shmu26]

Shmu- About the configuration difference between Firewall Security and Proactive Security: it's kinda-sorta both complicated and boring to get into, but as a rule of thumb if you use the default Firewall Security config you MUST keep the HIPS on, even with the sandbox at the max. With Proactive this is not the case.

I'll be (finally) releasing a CF10 setup video on the 28th and have included a malware file that I coded which should make this point rather clearly.

looking forward to it, too. You could add the boring and complicated stuff as an addendum named "boring and complicated", so as not to spoil your drama movie...