Latest changes
Sep 17, 2018
Windows Edition
Pro
System type
64-bit operating system; x64-based processor
Update and Security
Manual check for updates
User Access Control
Never notify (Disable UAC)
Firewall and Network protection
Microsoft Defender Firewall is active
User permissions
Administrator account
User account
Malware exposure
Malware samples are downloaded on a Virtual machine
Real-time Malware protection
Kaspersky Security Cloud free, Syshardener, Run-by-smartscreen (by Andy Ful)
Periodic scanners
Zemana, HitmanPro, NPE, Emsisoft emergency kit
Browser and Extensions
Chromium portable x64 (RAMdisk cache): ublock origin, Notifier for Gmail, Google Translate, h264ify, Windows Defender Browser Protection, Popup blocker (strict)
Privacy tools and VPN
1/ ublock origin: Steven Black's hosts, 1hosts & many others
Password manager
None
Search engine
Google, Duckduckgo
Maintenance tools
CCleaner+CCenhancer, auslogic disk defragmenter, Defraggler Wise disk cleaner, Wise registry cleaner, IObit Uninstaller, Revo Uninstaller, Syshardener, O&OShutup, WPD, SumatraPDF, EagleGet, SoftPefectRAM Disk, Winrar, Everything Search Engine, Classic Shell, Run-by-Smartscreen
Photos and Documents backup
Dropbox, Google Drive
Data Backup Schedule
No data backups
Backup and Restore
Norton Ghost
Backup Schedule
Once or more per month
Computer Specifications
https://malwaretips.com/threads/rains-laptop.61841/#post-528136

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
Hi, I see you are still using SAP, what do you have to say about it?
And why SAP + Comodo, isn't one or the other enough?
Just interested to hear your sage opinions...
hi, I found SAP is very light, lighter than most primary AVs, slightly heavier than Zemana AM/AL because SAP has on-access scanning while ZAM doesn't
the detection rate of universal AV is good + Jotti = extremely good, the best detection rate on the market if I'm not mistaken
SAP as an anti-exe/whitelisting app is OK, not the best, can be the worst. It shows significantly fewer popups than comodo, VS in autopilot or NVT ERP. This is what I need, I hate popups. It rarely shows popups when I run safe apps while VS, NVT or CF usually block these. Some people may not like it
I think SAP doesn't support cmd, vbs, script commands because I haven't seen it blocking anything
I don't feel safe if I don't have a program with signatures. I don't trust sig-less apps. CF signatures (virusscope) are very poor and rarely blocks something
sig-less apps generate so many FPs which I may end up ignoring them and allowing something to run
CF sandboxed so many of my files and I had to unblock them. I know they are safe because VT says 0/62 and Jotti/Universal AV say 0. In this case, sometimes I don't trust VT/Jotti, I may run them in CF's sandbox to monitor bad behaviors or run them with full permission (internet connection is blocked) under Shadow Defender

EDIT: I think SAP is good while online but not good in offline. CF can deal with this until I have the internet back
 

shmu26

Level 85
Verified
Trusted
Content Creator
hi, I found SAP is very light, lighter than most primary AVs, slightly heavier than Zemana AM/AL because SAP has on-access scanning while ZAM doesn't
the detection rate of universal AV is good + Jotti = extremely good, the best detection rate on the market if I'm not mistaken
SAP as an anti-exe/whitelisting app is OK, not the best, can be the worst. It shows significantly fewer popups than comodo, VS in autopilot or NVT ERP. This is what I need, I hate popups. It rarely shows popups when I run safe apps while VS, NVT or CF usually block these. Some people may not like it
I think SAP doesn't support cmd, vbs, script commands because I haven't seen it blocking anything
I don't feel safe if I don't have a program with signatures. I don't trust sig-less apps. CF signatures (virusscope) are very poor and rarely blocks something
sig-less apps generate so many FPs which I may end up ignoring them and allowing something to run
CF sandboxed so many of my files and I had to unblock them. I know they are safe because VT says 0/62 and Jotti/Universal AV say 0. In this case, sometimes I don't trust VT/Jotti, I may run them in CF's sandbox to monitor bad behaviors or run them with full permission (internet connection is blocked) under Shadow Defender

EDIT: I think SAP is good while online but not good in offline. CF can deal with this until I have the internet back
Yes, it is pretty basic as an anti-exe, but that is actually a good thing, if you are sick and tired of all the probs that anti-exes usually cause.
Windows Script Host protection does seem to be absent, so user should disable wscript, unless it is protected by another app, as it is in your case.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Yes, it is pretty basic as an anti-exe, but that is actually a good thing, if you are sick and tired of all the probs that anti-exes usually cause.
Windows Script Host protection does seem to be absent, so user should disable wscript, unless it is protected by another app, as it is in your case.
Okay, I asked SAP support about Windows Script Host protection.
It sounds like they do have typical anti-exe protection, although there does not seem to be protection for fileless attacks. (But for Powershell, there is protection even for fileless.)
Their help file says like this:

In application whitelisting, executing a script requires both the script interpreter (which executes the script) and the script file itself to be trusted. The script interpreter will refuse to open any non-trusted file.
 
Last edited:

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
Removed:
- Comodo Firewall: caused system freezing after a windows update -> forced reboot to use. second time

Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance (similar to Windows_Security's settings but a little modified for better protection
- Enabled windows firewall: deleted most rules, kept very few rules
 
Last edited:

Handsome Recluse

Level 23
Verified
Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance
- Enabled windows firewall: deleted most rules, kept very few rules
How did you find space for a RAMdisk with limited RAM?
Back to Avast free again even if it's supposedly slower? What did you do for maximum performance.
Is SAP still there?
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
How did you find space for a RAMdisk with limited RAM?
Back to Avast free again even if it's supposedly slower? What did you do for maximum performance.
Is SAP still there?
Yes, I'm using avast with SAP. I have no better choice as CF is causing problems
my avast settings are similar to windows_security's avast settings
just added behavior shield, a few suspicious extensions in "scan when opening": .js, .jsw, .jse, .vbs, .hta, .cmd, .bat, .scr
exclude SAP folder from realtime protection

some people say "Enable Reputation Services" is the cause of performance problem. I kind of agree
cybercapture is causing high network usage

I set RAMdrive = 512Mb. It's enough for me to run chrome in it
after boot, everything uses ~20-23% of total RAM over 8Gb of RAM I have. So this is good
avast and SAP use very little RAM
 
Last edited:

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal
 

Winter Soldier

Level 25
Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal
I removed SAP by switching again on EAM.
Not really sure about the culprit but I got strange problems (especially the CPU at 99% and unable to open applications with perennial Windows hourglass) after a reboot from Shadow Defender session.
With difficulty I managed to uninstall SAP and everything was back to normality.
 

Handsome Recluse

Level 23
Verified
Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal
Why? The loops. I thought CF had problems and Avast wasn't light enough, etc.
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
Why? The loops. I thought CF had problems and Avast wasn't light enough, etc.
CF had a problem due to the conflict with SAP. Now I understand why. I want to try different combos. This combo seems to work well. In the future, I would like to try zemana ultimate when it comes out
avast was good but it slowed down the boot time
I understand the problem was due to a conflict between CF+SecureAplus ?
yes, CF+SAP was a nightmare. CF with avast/zemana/KARW doesn't have this problem
What KAS can add to Comodo Firewall that CF can't do by itself??
KART has OK signatures and behavioral blocker which can work offline. Comodo's signatures are extremely weak and with CF, there must be an internet connection
 
Last edited:

Handsome Recluse

Level 23
Verified
Removed:
- Comodo Firewall: caused system freezing after a windows update -> forced reboot to use. second time

Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance (similar to Windows_Security's settings but a little modified for better protection
- Enabled windows firewall: deleted most rules, kept very few rules
So you had CF+SAP when this happened?
KART has OK signatures and behavioral blocker which can work offline. Comodo's signatures are extremely weak and with CF, there must be an internet connection
Don't all of them... avast/zemana/kart/CF rely on internet equally?
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
So you had CF+SAP when this happened?

Don't all of them... avast/zemana/kart/CF rely on internet equally?
yes, CF+SAP caused the problem. CF alone or with other products do not cause it
zemana strictly requires the internet
KART does require the internet for cloud/KSN lookup but it can work offline because it has system watcher = BB
CF does not require the internet. The cloud lookup is to detect malwares and reduce the FP rate, otherwise the internet is not that important
avast can fully work offline. The internet is for file reputation lookup, cybercapture
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
Added:
- Zemana antilogger with Pandora

Removed:
- Kaspersky Anti-ransomware tool: noticed that CF always worked before KART and sandboxed the test files. After disabling the sandbox, KART would work. There is no point of using KART which is always working slower than CF
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
Added:
- Avast free AV: Windows_Security's settings + a few changes, only File Shield is installed. Super smooth
+ removed W tick for C:\ProgramData\* exclusion
+ added C:\Users\* to exclusion with only R is ticked
+ disabled rootkit scan on startup
+ disabled hardware-assisted virtualization -> better compatibility with CF and VMware, fewer conflicts
+ added some custom extensions in "Scan when opening": .js, .jse, .jsw, .bat, .cmd, .scr, .ps1, .vbs, .hta, .vbe, .wsf
+ added comodo folder to global exclusion
- CF experimental settings (based on Cs's one):
+ Blocked all incoming connections except a few very important apps
+ svchost.exe: only allow outgoing ports 53, 67, 80, 443, 8080
+ Disabled Web Filtering (due to its uselessness/ineffectiveness) -> gain a bit more speed while surfing
- uBlock Protector extension (chrome)


Removed:

- Norton Safe Web: false positive king, became quite annoying
- Zemana Antilogger
- Sandboxie (CF can replace it)
 
Last edited:

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
CF experimental settings (updated):
- Firewall: svchost.exe: only allow outgoing ports 53, 67, 80, 443, 8080. block everything else
- Autosandbox: created a file group and blocked these vulnerable extensions from execution using autosandbox -> tested - working
Capture.PNG 1.PNG
 
Last edited:
Top