Have AppGuard and NVT ERP -- need AV?

[shmu26]

Do I need AV with this combo?
AppGuard at the level called "protected" . I added appropriate programs to guarded apps.
NVT ERP free beta, in alert mode. I whitelisted a bunch of parent processes, and added a couple trusted vendors.
HitmanPro.Alert
Sandboxie for risky sites.
VirusTotal to check new programs before install.
Windows 10 x64
Chrome x64
Adguard
Bitdefender TrafficLight

 

[Captain Awesome]

No need of AV

 

[FleischmannTV]

Your setup is already complete overkill as it is. AppGuard alone would be enough.

 

[Duotone]

Nice same set-up... No need for real-time AV, scanners only!

Your setup is already complete overkill as it is. AppGuard alone would be enough.

True!

 

[DJ Panda]

For me better save than sorry EXE sheild can still be bypassed (anything can ) Adding an Av would be a good combo. Avast is light and can be used well for protection.

 

[Kate_L]

It's overkill, remove some of them and config what's left

 

[shmu26]

It's overkill, remove some of them and config what's left

there is some overlap here, but AG doesn't protect when installing programs, and NVT doesn't protect memory. And you anyway need some protection against exploits, so HMP.A. None of these slow down the system.

 

[King Alpha]

AppGuard in Locked-down Mode is more than enough. NVTERP would only be a second layer in case AG would fail.

 

[hjlbx]

NVT ERP is only needed if you wish to monitor command lines and monitor abusable processes shipped with Windows.

You can't monitor command lines with AppGuard, but any abusable process will do so with limited file system and registry access rights.

In AppGuard, you just add vulnerable processes to User Space if you do not wish them to execute. However, there is a bug where some will still execute. I have reported it a while back...

 

[DJ Panda]

AppGuard and Exe Radars aren't perfect. Even though they can make the computer very safe I would reccomend adding a free AV. To me as long as they run on the system ok its not really Overkill.

 

[King Alpha]

AppGuard and Exe Radars aren't perfect. Even though they can make the computer very safe I would reccomend adding a free AV. To me as long as they run on the system ok its not really Overkill.

+1

I am for sure that they're not 100% bulletproof. I guess having an AV is still the best option instead of relying heavily on Anti-Executables.

 

[shmu26]

In AppGuard, you just add vulnerable processes to User Space if you do not wish them to execute.

but if you stop them from running altogether, lots of programs won't work.

 

[hjlbx]

but if you stop them from running altogether, lots of programs won't work.

That's not true for the vast majority of average users - who don't need NET Framework, powershell, and most vulnerable command line utilities.

I have a lot of vulnerable processes blocked from running by default and it doesn't affect my system negatively one bit. If I find a need something, I allow it and then disallow it after I'm done - but this is very rare.

* * * * *

Windows is a general purpose OS that is shipped to meet everyone's needs. Because of this, there is a lot shipped with Windows that isn't needed and that also greatly increases the probability that system security can by bypassed.

* * * * *

AppGuard & NVT ERP are for physical system protection; they provide no web or network protections. Web protections are basically IP address filtering so any decent ad blocking\malicious URL blocking software will do -- like Adguard. As far as network protections - firewalls alone are completely insufficient. For good network protections it requires an intrusion detection system (IDS). The problem with this is that most home users don't need it - unless they are constantly using public hotspots - and also the fact that there is really no suitable stand-alone network IDS available for home users.

The vast majority of home users are not targeted at home. The problem is when they head to a public hotspot with their laptop.

 

[FleischmannTV]

For me better save than sorry EXE sheild can still be bypassed (anything can ) Adding an Av would be a good combo.

I always wonder why people think an attacker is sophisticated and determined enough to bypass something like AppGuard or Sandboxie, only to be stopped by a crappy free AV. If anything, such an AV makes it way easier to bypass restricted environments due to their nature of processing hostile code with highest privileges and tampering with low privilege processes, opening holes which were not there before.

but AG doesn't protect when installing programs

That's a very good point actually, but the solution to that problem is awareness and education, not piling security software on top of each other.

And you anyway need some protection against exploits

AppGuard offers protection against exploits by containing them. You don't necessarily have to detect them in order to be protected. Though it can be argued that by stopping an attack in the earliest stage, the next stage, which might be a sandbox escape and/or privilege escalation, could be prevented as well. Then again, if an exploit is advanced enough to break out of a restricted environment, why wouldn't it be advanced enough to evade standard exploit detection methods.

 

[Tony Cole]

I'd use Comodo firewall, Win Defender and AppGuard (lock down mode) - as hjlbx explained to me, it takes time to learn how to use AppGuard, but will provide near bullet-proof protection. For Comodo setup, follow cruelsisters advice, then you can get rid of Sandboxie.

P.S. hjlbx does use AppGuard and NVT, but he is an expert!!!

 

[hjlbx]

The advantage of HMP.A is that it provides some protection against shell code exploits. I am not sure how robust and effective it is -- because testing such things is quite difficult.

NVT ERP can be bypassed by abusing NET Framework and other vulnerable, but white-listed Windows processes. This can be greatly mitigated by adding those processes to the NVT ERP Vulnerable Process list. It's very simple to do...

With AppGuard on the system, those processes will be executed with limited registry and file system access rights.

* * * * *

The whole point to protect the system is not to allow an unknown\untrusted application to execute on the system in the first place. For AVs, if it isn't detected by signature, then is default-allow -- which is absolutely ludicrous and the reason why so many people still get infected using internet security suites.

With AppGuard installed, nothing is going to execute from User Space in Lock Down mode except for processes that are in System Space or on the Guarded Apps list.

So let's say you have a bad browser exploit that abuses NET Framework (vbc.exe, RegAsm.exe, etc) and powershell and manages to get a payload onto the system. The payload itself will not execute (will be blocked by AppGuard). Furthermore, let's say it is "fileless" malware that tries to use powershell, cmd.exe or something else to mess with the registry (like Powerliks) - then AppGuard will block it. It's because all those processes are child processes of the browser - and the browser is a Guarded App with limited rights. Therefore, all child processes inherit its parent's rights = in this case, limited rights.

I suppose if a malc0der really studied AppGuard - and figured out what registry keys it does not protect - they might be able to create some form of bypass. It's not out of the realm of possibility, but not likely either.

However, as it stands, most people that get infected with AppGuard installed managed to do so by making a blunder. For example, not re-enabling AppGuard's protection or blindly installing a program that they didn't verify as safe before executing it.

The general attitude is that security programs should be default-allow for typical users, and yet, still completely protect the system by figuring out for the user what is malicious and what is not malicious. That protection model has been complete bunk for some 20 odd years at this point - and the reason why people still get infected.

The best protected system is one with only very well known programs and one that is completely locked-down (static).

Screwing around -- always trying new files\programs - with most any AV and improper configurations = eventual infection.

 

[FleischmannTV]

With AppGuard on the system, those processes will be executed with limited registry and file system access rights.

I believe they also inherit the memory guarded status.

 

[hjlbx]

I believe they also inherit the memory guarded status.

Yes. As far as I understand, child processes of Guarded Apps or those with Guarded App status (User Space launch in Protected Mode), then Memory Guard protection is also applied.

BRN's explanation of their memory protections is not very specific and therefore unclear.

I've asked and I have yet to get a complete, understandable explanation from BRN...

 

[hjlbx]

AppGuard doesn't protect against browser hijacks - but fixing that is easy enough. In most cases, just run CCleaner. If that doesn't fix it, then it simply requires a manual inspection of C:\Users\User\* - and perhaps C:\Program Data.

Protecting against browser hijacks is the only benefit I personally can see an advantage to using Sandboxie. Otherwise, Sandboxie eventually always turns out to be a real annoyance when browser or OS updates mess with it - sometimes badly. I'm not saying Sandboxie is not worthwhile - because it certainly is worthwhile. I do like Sandboxie, but for me personally, I have no need of it - at least not based upon my computing habits.

 

[DJ Panda]

I always wonder why people think an attacker is sophisticated and determined enough to bypass something like AppGuard or Sandboxie, only to be stopped by a crappy free AV. If anything, such an AV makes it way easier to bypass restricted environments due to their nature of processing hostile code with highest privileges and tampering with low privilege processes, opening holes which were not there before.



That's a very good point actually, but the solution to that problem is awareness and education, not piling security software on top of each other.



AppGuard offers protection against exploits by containing them. You don't necessarily have to detect them in order to be protected. Though it can be argued that by stopping an attack in the earliest stage, the next stage, which might be a sandbox escape and/or privilege escalation, could be prevented as well. Then again, if an exploit is advanced enough to break out of a restricted environment, why wouldn't it be advanced enough to evade standard exploit detection methods.[/QUOTE

AddGuard and NVT can be bypassed and are not perfect. It is always true about AVs as well. However its always good to have a little extra protection hackers cannot be easily stopped by just one thing you need a layered security approach.