Basic Security Evjl's Rain's security config

[Evjl's Rain]

Hi, I see you are still using SAP, what do you have to say about it?
And why SAP + Comodo, isn't one or the other enough?
Just interested to hear your sage opinions...

hi, I found SAP is very light, lighter than most primary AVs, slightly heavier than Zemana AM/AL because SAP has on-access scanning while ZAM doesn't
the detection rate of universal AV is good + Jotti = extremely good, the best detection rate on the market if I'm not mistaken
SAP as an anti-exe/whitelisting app is OK, not the best, can be the worst. It shows significantly fewer popups than comodo, VS in autopilot or NVT ERP. This is what I need, I hate popups. It rarely shows popups when I run safe apps while VS, NVT or CF usually block these. Some people may not like it
I think SAP doesn't support cmd, vbs, script commands because I haven't seen it blocking anything
I don't feel safe if I don't have a program with signatures. I don't trust sig-less apps. CF signatures (virusscope) are very poor and rarely blocks something
sig-less apps generate so many FPs which I may end up ignoring them and allowing something to run
CF sandboxed so many of my files and I had to unblock them. I know they are safe because VT says 0/62 and Jotti/Universal AV say 0. In this case, sometimes I don't trust VT/Jotti, I may run them in CF's sandbox to monitor bad behaviors or run them with full permission (internet connection is blocked) under Shadow Defender

EDIT: I think SAP is good while online but not good in offline. CF can deal with this until I have the internet back

 

[shmu26]

Thanks!

 

[shmu26]

hi, I found SAP is very light, lighter than most primary AVs, slightly heavier than Zemana AM/AL because SAP has on-access scanning while ZAM doesn't
the detection rate of universal AV is good + Jotti = extremely good, the best detection rate on the market if I'm not mistaken
SAP as an anti-exe/whitelisting app is OK, not the best, can be the worst. It shows significantly fewer popups than comodo, VS in autopilot or NVT ERP. This is what I need, I hate popups. It rarely shows popups when I run safe apps while VS, NVT or CF usually block these. Some people may not like it
I think SAP doesn't support cmd, vbs, script commands because I haven't seen it blocking anything
I don't feel safe if I don't have a program with signatures. I don't trust sig-less apps. CF signatures (virusscope) are very poor and rarely blocks something
sig-less apps generate so many FPs which I may end up ignoring them and allowing something to run
CF sandboxed so many of my files and I had to unblock them. I know they are safe because VT says 0/62 and Jotti/Universal AV say 0. In this case, sometimes I don't trust VT/Jotti, I may run them in CF's sandbox to monitor bad behaviors or run them with full permission (internet connection is blocked) under Shadow Defender

EDIT: I think SAP is good while online but not good in offline. CF can deal with this until I have the internet back

Yes, it is pretty basic as an anti-exe, but that is actually a good thing, if you are sick and tired of all the probs that anti-exes usually cause.
Windows Script Host protection does seem to be absent, so user should disable wscript, unless it is protected by another app, as it is in your case.

 

[shmu26]

Yes, it is pretty basic as an anti-exe, but that is actually a good thing, if you are sick and tired of all the probs that anti-exes usually cause.
Windows Script Host protection does seem to be absent, so user should disable wscript, unless it is protected by another app, as it is in your case.

Okay, I asked SAP support about Windows Script Host protection.
It sounds like they do have typical anti-exe protection, although there does not seem to be protection for fileless attacks. (But for Powershell, there is protection even for fileless.)
Their help file says like this:

In application whitelisting, executing a script requires both the script interpreter (which executes the script) and the script file itself to be trusted. The script interpreter will refuse to open any non-trusted file.

 

[Evjl's Rain]

Removed:
- Comodo Firewall: caused system freezing after a windows update -> forced reboot to use. second time

Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance (similar to Windows_Security's settings but a little modified for better protection
- Enabled windows firewall: deleted most rules, kept very few rules

 

[Handsome Recluse]

Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance
- Enabled windows firewall: deleted most rules, kept very few rules

How did you find space for a RAMdisk with limited RAM?
Back to Avast free again even if it's supposedly slower? What did you do for maximum performance.
Is SAP still there?

 

[Evjl's Rain]

How did you find space for a RAMdisk with limited RAM?
Back to Avast free again even if it's supposedly slower? What did you do for maximum performance.
Is SAP still there?

Yes, I'm using avast with SAP. I have no better choice as CF is causing problems
my avast settings are similar to windows_security's avast settings
just added behavior shield, a few suspicious extensions in "scan when opening": .js, .jsw, .jse, .vbs, .hta, .cmd, .bat, .scr
exclude SAP folder from realtime protection

some people say "Enable Reputation Services" is the cause of performance problem. I kind of agree
cybercapture is causing high network usage

I set RAMdrive = 512Mb. It's enough for me to run chrome in it
after boot, everything uses ~20-23% of total RAM over 8Gb of RAM I have. So this is good
avast and SAP use very little RAM

 

[Evjl's Rain]

Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal

 

[Winter Soldier]

Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal

I removed SAP by switching again on EAM.
Not really sure about the culprit but I got strange problems (especially the CPU at 99% and unable to open applications with perennial Windows hourglass) after a reboot from Shadow Defender session.
With difficulty I managed to uninstall SAP and everything was back to normality.

 

[Handsome Recluse]

Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal

Why? The loops. I thought CF had problems and Avast wasn't light enough, etc.

 

[lab34]

I understand the problem was due to a conflict between CF+SecureAplus ?

 

[Hector1]

Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal

What KAS can add to Comodo Firewall that CF can't do by itself??

 

[Evjl's Rain]

Why? The loops. I thought CF had problems and Avast wasn't light enough, etc.

CF had a problem due to the conflict with SAP. Now I understand why. I want to try different combos. This combo seems to work well. In the future, I would like to try zemana ultimate when it comes out
avast was good but it slowed down the boot time

I understand the problem was due to a conflict between CF+SecureAplus ?

yes, CF+SAP was a nightmare. CF with avast/zemana/KARW doesn't have this problem

What KAS can add to Comodo Firewall that CF can't do by itself??

KART has OK signatures and behavioral blocker which can work offline. Comodo's signatures are extremely weak and with CF, there must be an internet connection

 

[Handsome Recluse]

Removed:
- Comodo Firewall: caused system freezing after a windows update -> forced reboot to use. second time

Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance (similar to Windows_Security's settings but a little modified for better protection
- Enabled windows firewall: deleted most rules, kept very few rules

So you had CF+SAP when this happened?

KART has OK signatures and behavioral blocker which can work offline. Comodo's signatures are extremely weak and with CF, there must be an internet connection

Don't all of them... avast/zemana/kart/CF rely on internet equally?

 

[Evjl's Rain]

So you had CF+SAP when this happened?

Don't all of them... avast/zemana/kart/CF rely on internet equally?

yes, CF+SAP caused the problem. CF alone or with other products do not cause it
zemana strictly requires the internet
KART does require the internet for cloud/KSN lookup but it can work offline because it has system watcher = BB
CF does not require the internet. The cloud lookup is to detect malwares and reduce the FP rate, otherwise the internet is not that important
avast can fully work offline. The internet is for file reputation lookup, cybercapture

 

[Evjl's Rain]

Added:
- Zemana antilogger with Pandora

Removed:
- Kaspersky Anti-ransomware tool: noticed that CF always worked before KART and sandboxed the test files. After disabling the sandbox, KART would work. There is no point of using KART which is always working slower than CF

 

[Evjl's Rain]

Added:
- Avast free AV: Windows_Security's settings + a few changes, only File Shield is installed. Super smooth

+ removed W tick for C:\ProgramData\* exclusion
+ added C:\Users\* to exclusion with only R is ticked
+ disabled rootkit scan on startup
+ disabled hardware-assisted virtualization -> better compatibility with CF and VMware, fewer conflicts
+ added some custom extensions in "Scan when opening": .js, .jse, .jsw, .bat, .cmd, .scr, .ps1, .vbs, .hta, .vbe, .wsf
+ added comodo folder to global exclusion
​

- CF experimental settings (based on Cs's one):

+ Blocked all incoming connections except a few very important apps
+ svchost.exe: only allow outgoing ports 53, 67, 80, 443, 8080
+ Disabled Web Filtering (due to its uselessness/ineffectiveness) -> gain a bit more speed while surfing
​

- uBlock Protector extension (chrome)


Removed:
- Norton Safe Web: false positive king, became quite annoying
- Zemana Antilogger
- Sandboxie (CF can replace it)

 

[Sunshine-boy]

added some custom extensions in "Scan when opening": .js, .jse, .jsw, .bat, .cmd, .scr, .ps1, .vbs, .hta, .vbe, .wsf

Wise decision thnx for share!you are tricky

 

[Evjl's Rain]

CF experimental settings (updated):
- Firewall: svchost.exe: only allow outgoing ports 53, 67, 80, 443, 8080. block everything else
- Autosandbox: created a file group and blocked these vulnerable extensions from execution using autosandbox -> tested - working

 

[Evjl's Rain]

Removed:
- Avast free

Added:
- Zemana Antilogger (pandora): I miss its performance
- Metadefender for chrome