thecommissar's Config - 4 layers, want to remove 1?

[thecommissar]

I suffered a Ransomware attack previously - it was traumatic (I literally had 1 ransomware encrypt the already encrypted files of a DIFFERENT ransomware in a tandem attack...). I now am running a multi-layered security software package, but I know running software together can weaken security due to interactions, etc.

I believe however, that all the programs I use are quite different and shouldn't weaken security, but I'm looking for comments from knowledgeable persons. N.B. I run 64GB of RAM and OC liquid cooled CPU so performance tends to be fine overall so far.

1. BitDefender Total Security 2016 - I run this as my main signature-based Anti-Virus (AV); All settings on.

2. WebRoot Secure Anywhere Anti-Virus ONLY - I run this as a NON-signature based, behavior analysis anti-virus solution. As per the makers, its billed as being able to run with 'standard' AV like BitDefender. There haven't been any conflicts so far (1 week), but I'm more worried about unforeseen weaknesses I might be creating by having these two major AV programs running together.

People do often claim to use WebRoot as an addon program, but I'd like to see what more people think. WebRoot definitely finds things BD does not; but most of it is just nonsense .dlls or cookies and the like.

3. I run Hitman Alert3 (paid version) as an Anti-Exploit protection (mainly for the anti-Ransomware features), but I also like that in the past its warned me about various programs doing things even if they were ok; I like the console format and trust Hitman (I also have the paid scanner which works with Alert3; this is an on-demand only second opinion active scanner).

4. This one I'm not sure about and may remove; I recently installed MalwareBytes Experimental BETA Anti-Ransomware only program. Apparently MalwareBytes claims its been very successful at stopping Ransomware. It has NO settings to configure it just runs in the background; I have no idea what its doing or if it works, or if it conflicts possibly with the above 3 software programs, all of which in principle have some anti-ransomware component.

***5. I have a feeling that of these 4, 1 should probably be removed. Which one?

 

[Alkajak]

1 is your foundation. 2 is your companion AV. 3 is a great anti-exploit. 4 has me skeptical because of @cruelsister 's tests found here:
Video Review - More Fun with Ransomware
Video Review - More Fun with Ransomware Part 2
Video Review - Petya MBR Encryption Ransomware Test

I'm going to eliminate 4 as WinAntiRansom seems to be stronger.

 

[Deleted member 2913]

Your main AV is Bitdefender. I guess it too have ransomware protection now, right?
You dont need Webroot IMO.
Go with any 1 between Hitman & MBAM. I dont use Hitman or MBAM so users of these products will give you better info.

By the way what security products you were running when you got hit by ransomware?

 

[Noxx]

As Alkajak said, WinAntiRansom is solid. Shadow Defender will also reverse damage done by many ransomware varients.

 

[thecommissar]

Thanks everyone so much for the reality check; I'm a noob at security software really (Hijack this was previously the only thing I really cared to use because the software all slowed down my machine too much; luckily in the last few years it seems vendors have mostly been able to improve performance a LOT).

A. I agree and removed MalwareBytes Anti-Ransomware BETA. While those tests are certainly discouraging, its also experimental and in BETA, which isn't the best for a security solution (e.g. I wouldn't want to wear body armor that's in Beta testing...); but, and this may be bizarre, but on a visceral level for software whose use cases is only theoretical, I like to actively SEE that the program is functioning and actually at least doing something (why I like Hitman Alert because its quite interactive); MalwareBytes AR just sits there - so from a UX type experience alone I dislike it.

I have never heard of WinAntiRansom before so I am in the process of investigating it; it looks great up front. I'm slightly worried that having 3 programs all with anti-ransomware (not to mention adding a dedicated 4th one like WinAntiRansom) could create weaknesses I can't see. I'm assuming not, but I think its definitely a possible risk.

**And when I got hit with the double ransomware I had nothing - just Windows 8.1 default (Defender), As it happened I only had 1 actual file of any utility since the machine was new, and I actually used the '2 free restore ability' the %@#$^ Ransomware provided (which it supposedly does to prove it can restore your files) to get that file back lol.

 

[XhenEd]

If you can have AppGuard, you may remove 2 and 4 (and probably 3) in my opinion.
AppGuard is a "lock down" kind of security software. Ransomware cannot (or shouldn't) be able to penetrate the system.

 

[cruelsister]

Herr Kommissar- You have one significant hole in your setup- the inability to detect any true zero day malware from connecting out to the network, thus stealing your info. You need Outbound Firewall alerts big time.

As to the anti-ransomware apps, BD has (as long as you activate it) ransomware protection that although not as inclusive as WAR, will be equivalent to HMPA and will far, far surpass MBAR.

 

[Ink]

@thecommissar Hello and welcome, I have moved your thread to the Security Configuration Wizard since it's in regards to your security set-up on your PC.

You can see [MUST READ] How to update your security config without creating a new thread!, as soon as possible.

Thank you.

 

[thecommissar]

Thanks for your reply! In principle, I'm not (personally) as worried about data theft, but I had thought that WebRoot supposedly does monitor outgoing network traffic (and relies on Windows to monitor inbound traffic, according to Webroot).

Webroot Secure Anywhere Context Help

On the other hand, because I have BitDefender, which I believe replaces Windows Inbound Firewall, I have Windows turned off. Unless by 'outbound firewall alerts' you're referring to another program, or something I don't know about?

 

[thecommissar]

If you can have AppGuard, you may remove 2 and 4 (and probably 3) in my opinion.
AppGuard is a "lock down" kind of security software. Ransomware cannot (or shouldn't) be able to penetrate the system.

That sounds like it could be a good ransomware specific solution; I'll look into it more; Why though, if indeed AppGuard simply kills the .exe part of the ransomware, would someone use WinAntiRansom instead? How do these differ? Admittedly, I just learned of both of these programs now so I know nothing about them and will need to do more reading.

 

[XhenEd]

That sounds like it could be a good ransomware specific solution; I'll look into it more; Why though, if indeed AppGuard simply kills the .exe part of the ransomware, would someone use WinAntiRansom instead? How do these differ? Admittedly, I just learned of both of these programs now so I know nothing about them and will need to do more reading.

I haven't tried WAR, so I can't comment on the comparison.
This is AppGuard's site for more info: AppGuard | Personal

Edit:
Written Review - AppGuard
It is a paid software, but I'm not sure if BRN is still selling AppGuard 4 licenses. I have read that they are still working on their marketing style.

 

[DJ Panda]

I love and support MBARW but it is best to go back to it AFTER it comes out of BETA. Even in BETA MBARW hasn't failed me yet.

 

[Alkajak]

Information about AppGuard from one of the reviews I linked:

Lock-Down Mode - block execution of any ransomware

Protected (Medium) Mode - block execution of all unsigned ransomware; digitally signed ransomware will execute and encrypt C:\ProgramData and C:\Users\User directories. Ransom file can perform other actions in those directories dependent upon what is was coded to do.

I am still searching for digitally signed ransomware to verify.

 

[thecommissar]

Given Sandboxie is often mentioned on the forums; Is there a "mechanistic" difference between Sandboxie and just running say VirtualBox with a Linux distro and working in the Virtual Machine? Is Sandboxie just a much simpler simulated virtual machine environment? I couldn't tell from their website.

 

[Duotone]

Given Sandboxie is often mentioned on the forums; Is there a "mechanistic" difference between Sandboxie and just running say VirtualBox with a Linux distro and working in the Virtual Machine? Is Sandboxie just a much simpler simulated virtual machine environment? I couldn't tell from their website.

VirtualBox is the heavy weight mainly for testing purposes(OS, Malwares, Software), while Sandboxie is the lighter version selectively isolating software's and having control w/c process are allowed or prevented to run or connect to the internet.

Here's an old link explaining their difference: Security Unwrapped: Virtual Machines and Sandboxes

 

[Deleted member 178]

please update your config as shown below:

[MUST READ] How to update your security config without creating a new thread!

 

[Brahman]

A good solid sand-boxing software like sandboxie or comodo firewall with auto sandbox enabled coupled with NVT EXE radar/Voodooshield/appguard will do much better job than the internet security suites you are using. Its cost effective and almost robust in preventing zero day threats. Add any free Av to the above mix for an extra layer if you wish so.

 

[Deleted member 178]

You should enable smartscreen

 

[enaph]

You should enable SmartScreen just like @Umbra said, set UAC to max and disable UAC elevation for unsigned executables:

https://www.dropbox.com/s/ryl0c6m66gl6z84/elevation%20of%20unsigned.zip?dl=0

And why you're not using any adblocker? They can help to protect you not only against ads but they will also block malwertising. Two reasonable options are Adguard and uBlock Origin.

 

[DJ Panda]

And why you're not using any adblocker? They can help to protect you not only against ads but they will also block malwertising. Two reasonable options are Adguard and uBlock Origin.

Just because an adblocker is beneficial to you doesn't necessary mean the same for others. It is his choice whether or not to use an adblocker and it shouldn't decide that a config is secure or not.


Enabling UAC and Smartscreen is a good idea. Auto updates are good. OPTIONAL: Windows 10 is free to upgrade and so far a good OS.