Have AppGuard and NVT ERP -- need AV?

[Duotone]

Great explanations made by @hjlbx and @FleischmannTV...

Going to keep NVTERP Alert mode(Beta) in my setup just realize yesterday it can detect invalid certificates even VT/Zemana didn't detect any sign of tampering.

AppGuard doesn't protect against browser hijacks - but fixing that is easy enough. In most cases, just run CCleaner. If that doesn't fix it, then it simply requires a manual inspection of C:\Users\User\* - and perhaps C:\Program Data.

Protecting against browser hijacks is the only benefit I personally can see an advantage to using Sandboxie. Otherwise, Sandboxie eventually always turns out to be a real annoyance when browser or OS updates mess with it - sometimes badly. I'm not saying Sandboxie is not worthwhile - because it certainly is worthwhile. I do like Sandboxie, but for me personally, I have no need of it - at least not based upon my computing habits.

True, OS or browser sometimes do mess up Sandboxie I can go without SBIE but I like a clean browser and if an exploit is blocked its only a matter of deleting the sandbox same goes for malware coming from other drives(USB).

 

[DJ Panda]

AV + AM + An app protector = being safe.

 

[Deleted member 178]

No need AV with ERP + Appguard for the reason @hjlbx and @FleischmannTV gave. I have one (which is Windows Defender) because im in Win10, if i was was on Win7 i won't even thinking adding one.

ERP + Appguard properly configured are extremely hardly bypassable; and if on top you have HMPA and sandboxie as i do ; only yourself can infect your system.

 

[shmu26]

NVT ERP can be bypassed by abusing NET Framework and other vulnerable, but white-listed Windows processes. This can be greatly mitigated by adding those processes to the NVT ERP Vulnerable Process list. It's very simple to do...

could you suggest a list of processes that should be added to Vulnerable in NVT ERP?
that sounds like a good tweak.
windows 10 x64

 

[Azure]

could you suggest a list of processes that should be added to Vulnerable in NVT ERP?
that sounds like a good tweak.
windows 10 x64

Here's a list that @hjlbx posted sometime ago.
Vulnerable Processes

My suggestion would be to find out what each of those processes do before adding them, and if you do add them one at a time making sure your computer works okay.
Though I'm sure @Umbra will give you far better suggestion than me, so you should listen to him.

 

[jamescv7]

No need for AV.

That is the concept of Anti-Exe Policy based where all you need is a good training eye for analysis. Rules will be the basis for the effective protection against possible intrusion.

The technicality of the program are already mentioned by our highly knowledgeable members, so its up to you if planning to remove AV due to obsolete techniques.

 

[Davidov]

ERP: I tried but so far found no bypass. Probably the dream never encounter in everyday life.

 

[shmu26]

ERP is simple and solid as a rock. It's a workhorse. It's not trying to be cool, or win any beauty contests, it just does the job and that's it.

 

[Tony Cole]

I still prefer AppGuard with (forgot his name, he was a user on here, but now works for AppGuard) adding additional rules and lock-down mode you won't get past it.

 

[shmu26]

Your setup is already complete overkill as it is. AppGuard alone would be enough.

I am now revisiting AppGuard, this time with a little more understanding. Indeed, I now see that AppGuard alone is capable of doing the job, although adding NVT ERP does give you a more convenient way to monitor vulnerable processes.
HitmanPro.Alert and Sandboxie are not needed, in my opinion.
A simple AV like Windows Defender is a good safety net.

 

[Peter2150]

I would keep Sandboxie, for browsing.

 

[boredog]

Actually Windows Defender, Shadow Defender and Appguard are all anyone needs. Although as Cruelsister points out a good anti-key logger is a good idea if using Shadow Defender only.

 

[HarborFront]

I am now revisiting AppGuard, this time with a little more understanding. Indeed, I now see that AppGuard alone is capable of doing the job, although adding NVT ERP does give you a more convenient way to monitor vulnerable processes.
HitmanPro.Alert and Sandboxie are not needed, in my opinion.
A simple AV like Windows Defender is a good safety net.

An AV can do like detecting and blocking a malicious file during downloading or immediate scanning after the file is being downloaded.

This is something that AppGuard and NVT ERP cannot do.

Consider the AV as a first line of defense.

 

[509322]

I now see that AppGuard alone is capable of doing the job, although adding NVT ERP does give you a more convenient way to monitor vulnerable processes.

It is not so much a difference in protection as it is a difference in what the user wants. Some users want to disable stuff and have it blocked by default and the soft generate an alert. Others want silent blocking. Those options are available in both AppGuard and anti-executables. Such users already understand that something blocked is not something permanently broken - and are completely comfortable with it. They don't have nagging doubts that something blocked is damaging their system in some unknown, unwanted, damaging way.

There are those that desire the information feedback of an alert. Actually, AppGuard does give alerts and the user can tailor them. Anti-execs do the same.

Still others want the ability to regulate execution of certain processes. Those guys are rare as few people knowingly use vulnerable processes on any kind of regular basis.

So it all comes down to what the user wants. Silent blocking, blocking with alerts, use of alerts to control certain processes, etc.

 

[shmu26]

I would keep Sandboxie, for browsing.

Now you have me intrigued. After memory protection and vulnerable process protection is in place, what credible threat to the browser is left?

 

[HarborFront]

Now you have me intrigued. After memory protection and vulnerable process protection is in place, what credible threat to the browser is left?

Presuming if you do NOT want an AV, which forms the first line of defense, then the next line of defense will be offering protection when the malicious file is being accessed or loaded into memory.

Is it a good move to do away the AV? I mean protecting during in-process and outgoing? If we take a process it'll be like this

INCOMING ==> IN-PROCESS ==> OUTGOING

So, you let the malicious file to come in but you block it during accessed and/or kill it during in-process (in memory) and blocking it from calling home.

Would this be good enough for a system protection set up? I suppose having Shadow Defender (SD) would be best in case if in-process protection fails

 

[shmu26]

Presuming if you do NOT want an AV, which forms the first line of defense, then the next line of defense will be offering protection when the malicious file is being accessed or loaded into memory.

Is it a good move to do away the AV? I mean protecting during in-process and outgoing? If we take a process it'll be like this

INCOMING ==> IN-PROCESS ==> OUTGOING

So, you let the malicious file to come in but you block it during accessed and/or kill it during in-process (in memory) and blocking it from calling home.

Would this be good enough for a system protection set up? I suppose having Shadow Defender (SD) would be best in case if in-process protection fails

Does this relate to sandboxing the browser, or is it a different point?

 

[HarborFront]

Does this relate to sandboxing the browser, or is it a different point?

Nope. Not relating to the browser and SBIE

I use SD to roll back the system in case it gets infected

 

[shmu26]

Nope. Not relating to the browser and SBIE

I use SD to roll back the system in case it gets infected

Thanks. And I am keeping AV in my config.

 

[Peter2150]

Now you have me intrigued. After memory protection and vulnerable process protection is in place, what credible threat to the browser is left?

Two things.

1. It's another layer, and
2 Sbie does one thing none of the others do. It cleans up the junk left on your system I am sometimes amazed at how much there is.