Do we actually need so many security programs?

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Thanks for the suggestions! I removed VS, set the recommended settings in H_C, and used it to set WD to high protection.
If you want H_C to replace voodooshield, I think you will also need to enable some of the sponsors.
And it is recommended to use a Standard user account, because SRP can be bypassed by any elevated process.
Andy will correct me if this is inaccurate...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
If you want H_C to replace voodooshield, I think you will also need to enable some of the sponsors.
And it is recommended to use a Standard user account, because SRP can be bypassed by any elevated process.
Andy will correct me if this is inaccurate...
That depends on the level of paranoia and complexity of hardware/software.
H_C recommended settings with WD on high settings, is the best compromise between usability and security. It is already very restrictive, so the user has to be careful when adding the new restrictions. Blocking some sponsors (for example script interpreters) or using SUA, can be recommended if the user has to keep the vulnerable/unpatched software. But on the updated Windows 10 + H_C with the safe web browser and updated software, it is not required. Yet, if the user is afraid of being exploited anyway, then adopting SUA would be a good prevention. SUA is also recommended when using WD without H_C.

If nothing is exploited then nothing malicious can use the sponsors, bypass UAC, etc.
The executable exploits are blocked by forced SmartScreen. The VBScript & JScript malware files are blocked by SRP. PowerShell is highly restricted by Constrained Language mode. Malware in the wild, can often use the weaponized documents to exploit MS Office or Adobe Acrobat Reader applications. But this vector of attack is already mitigated in H_C recommended settings (Documents Anti-Exploit).

If the user wants to lock the computer temporarily, then it is possible by loading the predefined max settings in H_C (Windows_10_All_ON.hdc), set <Enforcement> = All Files, and set WD max settings. This can be done with a few mouse clicks (Log OFF from the account is required).
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
That depends on the level of paranoia and complexity of hardware/software.
H_C recommended settings with WD on high settings, is the best compromise between usability and security. It is already very restrictive, so the user has to be careful when adding the new restrictions. Blocking some sponsors (for example script interpreters mshta.exe, hh.exe, scrcons.exe, etc.) or using SUA, can be recommended if the user has to keep the vulnerable/unpatched software. But on the updated Windows 10 with the safe web browser and updated software, it is not required. Yet, if the user is afraid of being exploited anyway, then adopting SUA would be a good prevention.

If nothing is exploited then nothing malicious can use the sponsors, bypass UAC, etc.
The executable exploits are blocked by forced SmartScreen. The VBScript & JScript malware are blocked by SRP. PowerShell is highly restricted by Constrained Language mode. Malware in the wild, can often use the weaponized documents to exploit MS Office or Adobe Acrobat Reader applications. But this vector of attack is already mitigated in H_C recommended settings (Documents Anti-Exploit).

If the user wants to lock the computer temporarily, then it is possible by loading the predefined max settings in H_C (Windows_10_All_ON.hdc), set <Enforcement> = All Files, and set WD max settings. This can be done with a few mouse clicks (Log OFF from the account is required).

I was very happy with defender but didn’t offer a consolidated view for the whole family , which includes quite seniors and quite juniors so I went with Sophos Home premium. The web dashboard to manage the whole family is very convenient

I quite miss some non AV related features ie anti ransomware- restrict access to some folders except certain whitelisted apps etc. Sophos has overridden these as it provides its own ransomware protection - I was wondering, are you aware how well does H_C Play with Sophos? I understand that it’s the case that SRP cannot conflict with the AV but what about the other protections ( incl anti exploit & anti malware by Sophos) , would these conflict ?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I was very happy with defender but didn’t offer a consolidated view for the whole family , which includes quite seniors and quite juniors so I went with Sophos Home premium. The web dashboard to manage the whole family is very convenient

I quite miss some non AV related features ie anti ransomware- restrict access to some folders except certain whitelisted apps etc. Sophos has overridden these as it provides its own ransomware protection - I was wondering, are you aware how well does H_C Play with Sophos? I understand that it’s the case that SRP cannot conflict with the AV but what about the other protections ( incl anti exploit & anti malware by Sophos) , would these conflict ?
When you run two security programs together, they might conflict. But SRP is not a program. It has no processes and no drivers, it is just a collection of registry entries. So its chances of conflicting are minimal.
 

notabot

Level 15
Verified
Oct 31, 2018
703
When you run two security programs together, they might conflict. But SRP is not a program. It has no processes and no drivers, it is just a collection of registry entries. So its chances of conflicting are minimal.

SRP can only conflict in case it blocks a user space process by Sophos to do its job - I’m not aware whether or not this is the case but perhaps someone who is experienced with Sophos and also uses SRP could shed some light
 

kev216

Level 21
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 6, 2014
1,044
No, most configs I see here are overkill.
Often people combine programs because they protect against another buzzword (like ransomware, exploits etc), but it doesn't necessarily protect very well against it and even if it does, they forget to ask the question what the chance is to encounter such malware in real life computer usage.

In the end it's all a matter of taste. I personally like simplicity and lightness, but other might need/want to get a combination of certain products.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
SRP can only conflict in case it blocks a user space process by Sophos to do its job - I’m not aware whether or not this is the case but perhaps someone who is experienced with Sophos and also uses SRP could shed some light
I don't use Sophos, but my experience with SRP has shown that it is pretty easy to make an exception for a program to run in user space. If there is such an autorun connected with Sophos, then H_C will detect it and whitelist it automatically when you install H_C. If not, you can do so manually. You can check the log tool, to see if anything is being blocked.
But the only security software I know of that runs from user space is Windows Defender.
 

monkeylove

Level 13
Verified
Top Poster
Well-known
Mar 9, 2014
617
I usually use a free antivirus like the one from Bitdefender and a free version of a firewall like the one from Sphinx. I have to set the firewall to disable or enable (sometimes temporarily) some software, especially when updating.

For the browser, I use addons like uBlock Origin and NoScript plus a few more, but usually in non-default mode, so I have to make adjustments for some websites because videos or some parts of pages won't show up.

Anything else, like the free version of MalwareBytes, is used for manual scanning.

Beyond that, I have several backups scheduled: one full with periodic increments to an external HD, auto backups of some folders to the cloud, and a periodic system backup to one of the internal HDs.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
SRP can only conflict in case it blocks a user space process by Sophos to do its job - I’m not aware whether or not this is the case but perhaps someone who is experienced with Sophos and also uses SRP could shed some light
Tested Hard_Configurator with Sophos Premium. No problems.
Tested Sophos Premium against my collection of script trojan downloaders. All scripts bypassed the Sophos protection. The Exploit protection of MS Office was better, but after 15 minutes of testing, I found three ways of bypassing it to download/execute a payload. One bypass via macro and 2 bypasses via OLE. It is not as good as WD ASR rules which blocked all my weaponized scripts and MS Office documents.
Conclusion - Sophos Premium will benefit when using another application to protect against weaponized scripts and MS Office documents.

Edit.
The tests with weaponized scripts & documents were done without H_C or another application.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Andy, which exploit protection were you referring to? Is this a feature of Sophos, or did you mean your own DocumentsAntiExploit tool, or what?
I tested Sophos Premium against weaponized scripts and documents without H_C and DocumentsAntiExploit tool. Added a remark in my previous post. Thanks.
 

notabot

Level 15
Verified
Oct 31, 2018
703
Tested Hard_Configurator with Sophos Premium. No problems.
Tested Sophos Premium against my collection of script trojan downloaders. All scripts bypassed the Sophos protection. The Exploit protection of MS Office was better, but after 15 minutes of testing, I found three ways of bypassing it to download/execute a payload. One bypass via macro and 2 bypasses via OLE. It is not as good as WD ASR rules which blocked all my weaponized scripts and MS Office documents.
Conclusion - Sophos Premium will benefit when using another application to protect against weaponized scripts and MS Office documents.

Edit.
The tests with weaponized scripts & documents were done without H_C or another application.

Thanks for this, much appreciated! Out of curiosity, did Sophos detect the Trojans themselves which the scripts were downloading ( it’s clear the scripts themselves evaded )?

Re comparison to ASR, my understanding is that ASR is a policy tool, so comparison to Sophos which tries to do dynamic detection & prevention may be a bit unfair - the two approaches can probably be stacked, if we are to extrapolate from your SRP experiment.

Did you find Sophos exploit prevention to be better than Microsoft’s ? - these I’d assume can’t be stacked.

Defender is very good but having an aggregated view for all family endpoints costs 15$ per person per month, this functionality is priced for enterprises, not families
 
  • Like
Reactions: shmu26

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Thanks for this, much appreciated! Out of curiosity, did Sophos detect the Trojans themselves which the scripts were downloading ( it’s clear the scripts themselves evaded )?
My test was about anti-script capabilities. Sophos could detect the final payload via other modules. But, as we can see from the wild, the payloads are often 0-day malware files, so many of them will succeed.

Re comparison to ASR, my understanding is that ASR is a policy tool, so comparison to Sophos which tries to do dynamic detection & prevention may be a bit unfair - the two approaches can probably be stacked, if we are to extrapolate from your SRP experiment.
ASR rules are also dynamical. For example, some ASR rules monitor what the scripts do. If the script has downloaded the payload and next tries to run it, then the payload will be blocked. Also, ASR rules have nothing to do with SRP.
Did you find Sophos exploit prevention to be better than Microsoft’s ? - these I’d assume can’t be stacked.
I tested only Sophos exploit protection of MS Office against the weaponized documents. It was not bad, but WD + ASR rules are stronger for that.
Defender is very good but having an aggregated view for all family endpoints costs 15$ per person per month, this functionality is priced for enterprises, not families
[/QUOTE]
You can keep Sophos Premium, just use something else for anti-script protection. You can start with SysHardener. Furthermore, do not use MS Office and Adobe Acrobat Reader.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Both SRP and ASR are completely free, and they work well together, so it is worth considering a setup of Windows Defender with ASR + SRP, rather than paying for Sophos.
WD detection is good these days, especially at max settings.
Alternatively, instead of SRP, you might want to consider the free OSArmor. Not exactly the same, but quite flexible.
 

bribon77

Level 35
Thread author
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
No, most configs I see here are overkill.
Often people combine programs because they protect against another buzzword (like ransomware, exploits etc), but it doesn't necessarily protect very well against it and even if it does, they forget to ask the question what the chance is to encounter such malware in real life computer usage.

In the end it's all a matter of taste. I personally like simplicity and lightness, but other might need/want to get a combination of certain products.
I've been using computers for years, I did not find Rootkit or a Keylogger and the only Rasomware I've seen are the ones I downloaded To try.
Of course you can not let your guard down.:giggle:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top