Basic Security Evjl's Rain's security config

Last updated
Sep 17, 2018
Windows Edition
Pro
Security updates
Check for updates and Notify
User Access Control
Never notify (disabled)
Real-time security
Kaspersky Security Cloud free, Syshardener, Run-by-smartscreen (by Andy Ful)
Firewall security
Microsoft Defender Firewall
Periodic malware scanners
Zemana, HitmanPro, NPE, Emsisoft emergency kit
Malware sample testing
Browser(s) and extensions
Chromium portable x64 (RAMdisk cache): ublock origin, Notifier for Gmail, Google Translate, h264ify, Windows Defender Browser Protection, Popup blocker (strict)
Maintenance tools
CCleaner+CCenhancer, auslogic disk defragmenter, Defraggler Wise disk cleaner, Wise registry cleaner, IObit Uninstaller, Revo Uninstaller, Syshardener, O&OShutup, WPD, SumatraPDF, EagleGet, SoftPefectRAM Disk, Winrar, Everything Search Engine, Classic Shell, Run-by-Smartscreen
File and Photo backup
Dropbox, Google Drive
System recovery
Norton Ghost
Computer specs
https://malwaretips.com/threads/rains-laptop.61841/#post-528136

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Hi, I see you are still using SAP, what do you have to say about it?
And why SAP + Comodo, isn't one or the other enough?
Just interested to hear your sage opinions...
hi, I found SAP is very light, lighter than most primary AVs, slightly heavier than Zemana AM/AL because SAP has on-access scanning while ZAM doesn't
the detection rate of universal AV is good + Jotti = extremely good, the best detection rate on the market if I'm not mistaken
SAP as an anti-exe/whitelisting app is OK, not the best, can be the worst. It shows significantly fewer popups than comodo, VS in autopilot or NVT ERP. This is what I need, I hate popups. It rarely shows popups when I run safe apps while VS, NVT or CF usually block these. Some people may not like it
I think SAP doesn't support cmd, vbs, script commands because I haven't seen it blocking anything
I don't feel safe if I don't have a program with signatures. I don't trust sig-less apps. CF signatures (virusscope) are very poor and rarely blocks something
sig-less apps generate so many FPs which I may end up ignoring them and allowing something to run
CF sandboxed so many of my files and I had to unblock them. I know they are safe because VT says 0/62 and Jotti/Universal AV say 0. In this case, sometimes I don't trust VT/Jotti, I may run them in CF's sandbox to monitor bad behaviors or run them with full permission (internet connection is blocked) under Shadow Defender

EDIT: I think SAP is good while online but not good in offline. CF can deal with this until I have the internet back
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
hi, I found SAP is very light, lighter than most primary AVs, slightly heavier than Zemana AM/AL because SAP has on-access scanning while ZAM doesn't
the detection rate of universal AV is good + Jotti = extremely good, the best detection rate on the market if I'm not mistaken
SAP as an anti-exe/whitelisting app is OK, not the best, can be the worst. It shows significantly fewer popups than comodo, VS in autopilot or NVT ERP. This is what I need, I hate popups. It rarely shows popups when I run safe apps while VS, NVT or CF usually block these. Some people may not like it
I think SAP doesn't support cmd, vbs, script commands because I haven't seen it blocking anything
I don't feel safe if I don't have a program with signatures. I don't trust sig-less apps. CF signatures (virusscope) are very poor and rarely blocks something
sig-less apps generate so many FPs which I may end up ignoring them and allowing something to run
CF sandboxed so many of my files and I had to unblock them. I know they are safe because VT says 0/62 and Jotti/Universal AV say 0. In this case, sometimes I don't trust VT/Jotti, I may run them in CF's sandbox to monitor bad behaviors or run them with full permission (internet connection is blocked) under Shadow Defender

EDIT: I think SAP is good while online but not good in offline. CF can deal with this until I have the internet back
Yes, it is pretty basic as an anti-exe, but that is actually a good thing, if you are sick and tired of all the probs that anti-exes usually cause.
Windows Script Host protection does seem to be absent, so user should disable wscript, unless it is protected by another app, as it is in your case.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Yes, it is pretty basic as an anti-exe, but that is actually a good thing, if you are sick and tired of all the probs that anti-exes usually cause.
Windows Script Host protection does seem to be absent, so user should disable wscript, unless it is protected by another app, as it is in your case.
Okay, I asked SAP support about Windows Script Host protection.
It sounds like they do have typical anti-exe protection, although there does not seem to be protection for fileless attacks. (But for Powershell, there is protection even for fileless.)
Their help file says like this:

In application whitelisting, executing a script requires both the script interpreter (which executes the script) and the script file itself to be trusted. The script interpreter will refuse to open any non-trusted file.
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Removed:
- Comodo Firewall: caused system freezing after a windows update -> forced reboot to use. second time

Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance (similar to Windows_Security's settings but a little modified for better protection
- Enabled windows firewall: deleted most rules, kept very few rules
 
Last edited:

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance
- Enabled windows firewall: deleted most rules, kept very few rules
How did you find space for a RAMdisk with limited RAM?
Back to Avast free again even if it's supposedly slower? What did you do for maximum performance.
Is SAP still there?
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
How did you find space for a RAMdisk with limited RAM?
Back to Avast free again even if it's supposedly slower? What did you do for maximum performance.
Is SAP still there?
Yes, I'm using avast with SAP. I have no better choice as CF is causing problems
my avast settings are similar to windows_security's avast settings
just added behavior shield, a few suspicious extensions in "scan when opening": .js, .jsw, .jse, .vbs, .hta, .cmd, .bat, .scr
exclude SAP folder from realtime protection

some people say "Enable Reputation Services" is the cause of performance problem. I kind of agree
cybercapture is causing high network usage

I set RAMdrive = 512Mb. It's enough for me to run chrome in it
after boot, everything uses ~20-23% of total RAM over 8Gb of RAM I have. So this is good
avast and SAP use very little RAM
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal
I removed SAP by switching again on EAM.
Not really sure about the culprit but I got strange problems (especially the CPU at 99% and unable to open applications with perennial Windows hourglass) after a reboot from Shadow Defender session.
With difficulty I managed to uninstall SAP and everything was back to normality.
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Added:
- Comodo Firewall - proactive
- Kaspersky Anti-ransomware tool

Removed:
- SecureAplus: 100% conflicted with CF. Windows froze on boot, unusable. got this 4-5 times. After removal, everything was back to normal
Why? The loops. I thought CF had problems and Avast wasn't light enough, etc.
 
  • Like
Reactions: SHvFl

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Why? The loops. I thought CF had problems and Avast wasn't light enough, etc.
CF had a problem due to the conflict with SAP. Now I understand why. I want to try different combos. This combo seems to work well. In the future, I would like to try zemana ultimate when it comes out
avast was good but it slowed down the boot time
I understand the problem was due to a conflict between CF+SecureAplus ?
yes, CF+SAP was a nightmare. CF with avast/zemana/KARW doesn't have this problem
What KAS can add to Comodo Firewall that CF can't do by itself??
KART has OK signatures and behavioral blocker which can work offline. Comodo's signatures are extremely weak and with CF, there must be an internet connection
 
Last edited:

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Removed:
- Comodo Firewall: caused system freezing after a windows update -> forced reboot to use. second time

Installed:
- Sandboxie free. Chrome is running inside the sandbox + cached in RAMdisk, noticed less disk usage
- Avast free with minimal setup and highly tweaked for maximum performance (similar to Windows_Security's settings but a little modified for better protection
- Enabled windows firewall: deleted most rules, kept very few rules
So you had CF+SAP when this happened?
KART has OK signatures and behavioral blocker which can work offline. Comodo's signatures are extremely weak and with CF, there must be an internet connection
Don't all of them... avast/zemana/kart/CF rely on internet equally?
 
  • Like
Reactions: SHvFl

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
So you had CF+SAP when this happened?

Don't all of them... avast/zemana/kart/CF rely on internet equally?
yes, CF+SAP caused the problem. CF alone or with other products do not cause it
zemana strictly requires the internet
KART does require the internet for cloud/KSN lookup but it can work offline because it has system watcher = BB
CF does not require the internet. The cloud lookup is to detect malwares and reduce the FP rate, otherwise the internet is not that important
avast can fully work offline. The internet is for file reputation lookup, cybercapture
 
  • Like
Reactions: SHvFl and shmu26

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Added:
- Zemana antilogger with Pandora

Removed:
- Kaspersky Anti-ransomware tool: noticed that CF always worked before KART and sandboxed the test files. After disabling the sandbox, KART would work. There is no point of using KART which is always working slower than CF
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Added:
- Avast free AV: Windows_Security's settings + a few changes, only File Shield is installed. Super smooth
+ removed W tick for C:\ProgramData\* exclusion
+ added C:\Users\* to exclusion with only R is ticked
+ disabled rootkit scan on startup
+ disabled hardware-assisted virtualization -> better compatibility with CF and VMware, fewer conflicts
+ added some custom extensions in "Scan when opening": .js, .jse, .jsw, .bat, .cmd, .scr, .ps1, .vbs, .hta, .vbe, .wsf
+ added comodo folder to global exclusion
- CF experimental settings (based on Cs's one):
+ Blocked all incoming connections except a few very important apps
+ svchost.exe: only allow outgoing ports 53, 67, 80, 443, 8080
+ Disabled Web Filtering (due to its uselessness/ineffectiveness) -> gain a bit more speed while surfing
- uBlock Protector extension (chrome)


Removed:

- Norton Safe Web: false positive king, became quite annoying
- Zemana Antilogger
- Sandboxie (CF can replace it)
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
CF experimental settings (updated):
- Firewall: svchost.exe: only allow outgoing ports 53, 67, 80, 443, 8080. block everything else
- Autosandbox: created a file group and blocked these vulnerable extensions from execution using autosandbox -> tested - working
Capture.PNG 1.PNG
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top