Basic Security Rengar's Security Config

[Evjl's Rain]

How you finding it? It's extremely light and I really like it's GUI but I don't know if I prefer it over CFW.
If you get the chance I wouldn't mind seeing a test of it. I'm not sure how it handles scripts so I'm curious if it suffers the same problem as Avast's hardened mode and if there's any way to bypass it's protection. I've also heard it's universal AV suffers from some major engine update delays.

It's very light and so far I like it
it's not annoying like other anti-exes but still effective
It's not easy for me to test it because I have to collect a sufficient number of samples which have low detection rates according to VT so SAP won't block them easily by Universal AVs. I will try to test it behind the screen to pick good samples and then you these for a video

I notice some differences between engines used by universal AVs and the real engines. For example, WD couldn't detect many malwares I scanned but the Microsoft engine detected them as malwares. Avira and BD have delayed signatures which should have detected some samples that were already detected by these engines according to VT

 

[Arequire]

it's not annoying like other anti-exes but still effective

Yeah, it's nice to not have to keep unblocking legitimate processes having their network access blocked by CFW.

It's not easy for me to test it because I have to collect a sufficient number of samples which have low detection rates according to VT so SAP won't block them easily by Universal AVs. I will try to test it behind the screen to pick good samples and then you these for a video

Ah right. Didn't think about it being a lot harder to find samples for something that uses multiple engines, even if their sigs are delayed.

I notice some differences between engines used by universal AVs and the real engines. For example, WD couldn't detect many malwares I scanned but the Microsoft engine detected them as malwares. Avira and BD have delayed signatures which should have detected some samples that were already detected by these engines according to VT

I think VDS is a step up in this regard by having a direct link to VT. No out-of-date sigs to worry about in determining if samples are malicious or not.

I'll keep SAP around for now but I'm not all that familiar with it. With CFW I know where I stand and know the protection it affords after using it for a long time but I've never given SAP much of a fair shake and I've only seen one or two tests featuring it so I can't determine how strong its protection is. Especially against signed malware or scripts.

Since SAP were forced to drop VT this is the kind of malware I'd be concerned about when running it:

Signed and the universal AV says clean but VT gives a 35/56. What'd happen if someone ran into this kind of sample nowadays when VT isn't there to give you a heads up that it's malicious? As far as I'm aware it doesn't have any kind of behavioural detection so if you unblock it (based on it being signed and the UAV giving it a clean rating) the malware could run indefinitely in theory.

Edit: Sorry for taking over your configuration thread to discuss SAP, @LanDude! Hope you don't mind.

 

[jamescv7]

Good configuration, honestly Comodo components are strong enough which you need to carefully tweak for accuracy and precision.

@Arequire: Well in that instances, a user should always close carefully on the alerts. SAP provides multiple criteria to avoid any bypass on the file so any red marks will halt for execution.

In a close look it may not be user friendly, but as the time you use; it can be a very good supplement for setup.

 

[Evjl's Rain]

Signed and the universal AV says clean but VT gives a 35/56. What'd happen if someone ran into this kind of sample nowadays when VT isn't there to give you a heads up that it's malicious? As far as I'm aware it doesn't have any kind of behavioural detection so if you unblock it (based on it being signed and the UAV giving it a clean rating) the malware could run indefinitely in theory.

yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access
I can only check the detection rate for <10 files at the time

 

[Handsome Recluse]

yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untested file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access
I can only check the detection rate for <10 files at the time

What are you gonna do then if the 1-year trial expires? If ever it reaches that point...

 

[Evjl's Rain]

What are you gonna do then if the 1-year trial expires? If ever it reaches that point...

I got the 2-year license
after this period, there would be many other options to choose
I would go back to zemana

 

[Arequire]

@Arequire: Well in that instances, a user should always close carefully on the alerts. SAP provides multiple criteria to avoid any bypass on the file so any red marks will halt for execution.

In a close look it may not be user friendly, but as the time you use; it can be a very good supplement for setup.

yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP.

I keep it in lockdown mode so this wouldn't affect me unless I downloaded and ran it myself. All I'd get shown was the file name that had been blocked. Just a little worrying for those that run interactive mode that the UAV's sigs are so out-of-date that none of the AVs included detected it as malware even when almost all did on VT. I guess you could argue it's still better than the traditional approach of having the file run on your system and hoping behavioural detection or HIPS catches it before it does any damage.

 

[Rengar]

REMOVED
NetCraft
ADDED
TheGreatSuspender, Norton DNS

I think im protected with this config.
I had problems upgrading to W10. When i decide to format my pc i will do a clean install of W10

Chrome Extensions added: Dont Track Me Google ,Disable HTML5 Autoplay, Stealth Mode.

 

[mekelek]

yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access
I can only check the detection rate for <10 files at the time

from my experience, SAP literally made me go crazy with the way it handled the "initial scan".
i haven't seen such a buggy POS for a while.

 

[inuyasha]

REMOVED
NetCraft
ADDED
TheGreatSuspender, Norton DNS

I think im protected with this config.
I had problems upgrading to W10. When i decide to format my pc i will do a clean install of W10

why remove netcraft?

 

[Rengar]

REMOVED: CF
ADDED: ZoneAlarm Free Firewall, Sandboxie

 

[Exterminator]

REMOVED: CF
ADDED: ZoneAlarm Free Firewall, Sandboxie

Please edit these changes into your original config post.

 

[Rengar]

Its possible to enable Malwarebytes as i have a lifetime licence but its a little overkill...We will see...

 

[harlan4096]

Hum... WD + ZAL -> and now MBAM Pro (resident), probably will get some slowdowns in the system, and some issues with the others resident applications...

Try and let us know

 

[Rengar]

REMOVED: Zone alarm. Lots of bugs. Rules dissapearing. Blocking programs.

 

[Rengar]

ADDED

• Avast( only file and behavior shield).
• Crystal Security.
• I have disabled WD because it was blocking some important programs. Also i couldnt add exclusions for some reason.

 

[Rengar]

REMOVED

• Avast

ADDED

• Eset IS 11