To Supplement EAM or Not?

[Windows Defender Shill]

Yes you should implement additional security while using EAM alone

Including running Kaspersky, Norton, Avast and VoodooShield with a Ubuntu Mate OS that advocates installs from trusted Linux sources only.

Some people will recognize this as sarcasm, but that's because they are unsafe.

 

[shmu26]

@SearchLight Unless you want more hassle with your configuration, I suggest you ignore the recommendations for software like anti-executable and anti-exploit. You can use Emsisoft Anti-Malware for your real-time protection sufficiently and you can add more simple and less-hassle additions like an on-demand scanner (e.g. HitmanPro is quite fast and reputable) and/or an ad-blocker (helps you block malvertising - there are reputable and free extensions for most browsers to do this like uBlock).

1. You can use Emsisoft Anti-Malware and VoodooShield in combination but ask yourself, why do this in the first place? You'll be just as protected using either on their own. Make good decisions and use your primary real-time defense as a backup friend and you'll be fine. Sure you can get an alert for every new unknown process spawn but you'll have the Emsisoft BB and even if you get an alert from an anti-executable, why not just not run it in the first place if you didn't want to run it? Run wisely.
2. You can use Emsisoft Anti-Malware and HitmanPro.Alert in combination as long as there are no compatibility issues (I am not sure if they are compatible) but ask yourself, why do this in the first place? You'll only have two security solutions in real-time potentially overlapping each other considering Emsisoft already provide exploit mitigations and ransomware protection. You don't really need both. In my opinion that is over-the-top past using EAM with VS.
3. You can use Emsisoft Anti-Malware with 4 on-demand scanners but it doesn't necessarily mean you'll be better protected. On-demand scanning will require you to spend time making the manual scans and if you rely on scheduled ones then you may be unexpectedly interrupted and have your system resources used up more while trying to work (depending on the scenario). It neither means that an infection which was surpassed by your real-time security will actually be identified, one or two is enough in my opinion.
4. Emsisoft Anti-Malware and Zemana Anti-Logger in real-time? Emsisoft already intercepts keylogger installation attempts very effectively, there's no need for it in my opinion.

Emsisoft Anti-Malware is a full Anti-Virus replacement despite being titled Anti-Malware and it is supposed to be used as a full suite for protecting the user. It offers more than enough protection components which have been developed over numerous years by skilled engineers and researchers to get to the level of quality and reliability is at now, and it is indefinitely sufficient to protect someone when being used alone as primary real-time protection. The statistics from malware testing by both general people who may make mistakes and tests conducted by professional security software testers who publish regular reports speak for themselves, not to mention that they use an engine alongside their own from another award-winning and extremely popular vendor, Bitdefender.

Stacking software upon software will never necessarily help you. It adds more attack vectors which can be potentially exploited and time and time again I see that most people don't really take notice. The attacks that paranoid users stacking software upon software are thinking about are likely to never ever be fired in your direction - traditional malware attacks will be handled by Emsisoft Anti-Malware perfectly fine, and many other Anti-Virus products perform a spectacular job. Unless of course you own a large company which automatically makes you a target.

The truth is that nothing is ever "enough" to close all holes which can be shot at by a bullet - but that doesn't mean you should have everything. Every-time your security product flags a new program as malicious based on behavior or blocks a download, you've just dodged a bullet. Aim to reach the point where that rarely has to happen due to good decisions, and hopefully if you ever make a mistake which all of us make at some point, your reputable real-time security software will intervene and save the day, just like a good friend would if you were in need of assistance. Everything else is totally unnecessary with the exception of an on-demand scanner or an addition like an ad-blocker for improved user experience when browsing and to help direct targeted malvertising attacks.

Take it with a grain of salt because it is opinionated. Use good real-time as primary, add a few simple additions for ad-blocking and make a backup... You're good to go.

But the malware distributed by email -- a very common attack vector -- tends to be fresh samples, zero-days. AV detection cannot reliably block fresh samples, and behavior blocking is similarly hit-and-miss. What you said applies quite well to week-old malware hosted on well-known download and torrent sites, but not so well to email attacks.

 

[Deleted member 65228]

@shmu26 Really? The same common attack vector you mentioned will require user-intervention unless there's a zero-day exploit being deployed (e.g. for an e-mail client -> and good luck doing this with web-based e-mail services like Google Mail). Instead of downloading the attachment and running it to be confronted with an alert from an anti-executable asking you if you want to run it, why not just not download and run the attachment instead? Attempt to verify the sender of the e-mail, stay away from the spam folder unless a special exception and ignore e-mails which are about sensitive things/contain attachments which are unexpected. Scan with online services beforehand and double-check with the person the attachment is from externally away from the e-mail/chat software. Click-happy gets you into trouble.

Behavior Blocking is exactly a hit-and-miss scenario, what you said regarding this is factual. However many vendors like Emsisoft, Avast, G-Data and Kaspersky are focusing a lot on dynamic protection. If you get hit by a zero-day sample for a new Petya variant, it'll be blocked by Emsisoft while attempting to hijack the Master Boot Record... Same applies for NotPetya, BadRabbit and Rombertik. You could change the scenario to banking malware, where a traditional code injection attack would become mitigated unless its a new unknown code injection attack which is out of monitoring scope, or unless that very rare zero-day exploit is deployed to surpass all your protection (which none of us literally ever actually get hit with generally speaking).

All you need to do is use a good security suite with a few simple additions for a nice, secure and lightweight configuration. Good configuration includes a good backup because security isn't just about prevention of infection, but also prevention of data-loss. Alternatively, just lock down the configuration - you don't need to go overkill and use two configurations in one because it can be absolutely meaningless in the end. If you make a mistake and you cannot be saved then revert using your backup.

 

[shmu26]

@shmu26 Really? The same common attack vector you mentioned will require user-intervention

Absolutely true. An experienced user will never fall for it. But his tired wife is liable to click on a pic that supposedly came from her sister...

As for dynamic detection, it is a cat-and-mouse game. As smart as the AV vendors are, the malcoders are constantly finding new ways to evade detection. In the mean time, until your AV pushes out a new version, you are vulnerable.

I think that the use of webmail, such as Gmail, helps a lot to protect. Because you will most likely open any booby-trapped file on the web, not on your computer.

 

[Deleted member 65228]

But his tired wife is liable to click on a pic that supposedly came from her sister...

Emsisoft Anti-Malware with HitmanPro.Alert, VoodooShield, Malwarebytes Anti-Malware (real-time), and every other security software available in real-time still won't be enough to block all infections, especially from another family member who is inexperienced.

That is why the backup and on-demand scanning is important. It doesn't mean you should go overkill on configuration. Most products can be password protected to prevent whitelist changes without authorisation and some can also notify you by e-mail in-case a detection is caused while the system is being used - allowing you do do a check with family members remotely by sending them a text or calling them after being notified.

Anti-executable is also user-intervention, I assume we are having this debate because I mentioned it previously and I knew it would be a sensitive topic for most but I wanted to share my opinion like everyone else. Your family member can download a picture of their cat which is really an executable with a fake extension for *.png but then they can also allow the alert because they wanted to run the picture of the cat. Oh, VoodoAi says it is dangerous? "Yeah sure this is just a cat picture I want to see it they are cute" -> infected.

Regarding behavioural protection, features like MBR protection will rarely be bypassed if they are implemented correctly and securely unless the attack is from kernel-mode or a zero-day SP bypass is found and exploited. Code injection usually follows common and known but mitigated techniques as well (by the good security product with good zero-day monitoring), unless the attacker is experienced and in a different scenario it would likely be a targeted attack which wouldn't usually be for a Home average user.

I perfectly understand your points and I agree with some of the things you have said but this doesn't need to be over-complicated and over-kill.

 

[Nightwalker]

Thanks @Opcode for your brilliant insights, it is very much appreciated, one of the best posts that I read about security setup since I started visiting security forums (2004 I think).

Not trying to be disrespectful but some users here on MalwareTips and on Wilders Security usually mistake a effective security setup with their geek's hobby.

Example:

I am impressed that his machine can actually boot.

 

[shmu26]

Anti-executable is also user-intervention...
Your family member can download a picture of their cat which is really an executable with a fake extension for *.png but then they can also allow the alert because they wanted to run the picture of the cat. Oh, VoodoAi says it is dangerous? "Yeah sure this is just a cat picture I want to see it they are cute" -> infected.

You are making a very good point here. That's why it is best to train the system, and then put it in a lockdown mode of some sort, or hide the alerts, it depends on which software you are using. This prevents the noobs from shooting themselves in the foot. If something doesn't work, don't worry, they will come to ask you.

But in principle, I agree with your advice. A good AV suite like Emsisoft is the best solution for most users, unless there is a geek in the house who enjoys making things super safe.
Anyways, the majority of infections can be solved by a system image restore, which was your other good advice.

 

[_CyberGhosT_]

Can you give a example of malware waltzing right past Emsisoft's behavior blocker? Thanks.

Not happening, and claiming this is a recipe for trouble.
I know enough about EmsiSoft to know that this is far from the truth, lets not make false claims that have the potential
to hurt the reputation of EmsiSoft.

 

[danb]

Anti-executable is also user-intervention, I assume we are having this debate because I mentioned it previously and I knew it would be a sensitive topic for most but I wanted to share my opinion like everyone else. Your family member can download a picture of their cat which is really an executable with a fake extension for *.png but then they can also allow the alert because they wanted to run the picture of the cat. Oh, VoodoAi says it is dangerous? "Yeah sure this is just a cat picture I want to see it they are cute" -> infected.

In all fairness, not providing the user a second chance to block the malware guarantees infection, if the file is missed by the main AV.

I have worked with users for close to 20 years, and trust me, if the user were to see a red prompt that says unsafe, the odds are slim to none that they would click allow.

The infection rate of VS users over the last 6 years support this claim .

 

[Deleted member 65228]

@danb I have absolutely no doubt in my mind that the infection rate of VS users over the last 6 years can support your claim because in the real world VoodooShield is unheard of and the only people who are likely to be using it are people on forums like this who do apply good practice or stack software upon software to try and be invincible to the latest stolen CIA technology

Vendors like Norton are heard of in the real world and usually they auto-quarantine (same for some other vendors by default) as far as I am aware to help stop an ignorant user from just allowing a detection. More work to go into settings and whitelist and many average users are lazy and if this is the case then I think it does actually work sometimes.

 

[_CyberGhosT_]

The infection rate of VS users over the last 6 years support this claim .

I have to agree on that point, as you know I have employed VS for quite some time with no other software aside from stuff like DeepArmor, HMPA, and small other side companion apps, and not been hit yet
What do they say ? "the proof is in the pudding" and I love my VS pudding

 

[danb]

@danb I have absolutely no doubt in my mind that the infection rate of VS users over the last 6 years can support your claim because in the real world VoodooShield is unheard of and the only people who are likely to be using it are people on forums like this who do apply good practice or stack software upon software to try and be invincible to the latest stolen CIA technology

Vendors like Norton are heard of in the real world and usually they auto-quarantine (same for some other vendors by default) as far as I am aware to help stop an ignorant user from just allowing a detection. More work to go into settings and whitelist and many average users are lazy and if this is the case then I think it does actually work sometimes.

Ummm, we have a lot more users than you obviously think we do... SMB and consumer. A lot of them are complete novices who cannot even change their screen saver, but they know how to use VS.

 

[_CyberGhosT_]

@danb I have absolutely no doubt in my mind that the infection rate of VS users over the last 6 years can support your claim because in the real world VoodooShield is unheard of and the only people who are likely to be using it are people on forums like this who do apply good practice or stack software upon software to try and be invincible to the latest stolen CIA technology

Vendors like Norton are heard of in the real world and usually they auto-quarantine (same for some other vendors by default) as far as I am aware to help stop an ignorant user from just allowing a detection. More work to go into settings and whitelist and many average users are lazy and if this is the case then I think it does actually work sometimes.

You don't have to agree with Dan or even like VS, but the way you reply is provocative and unnecessary
I wanted to say this here to you seeing I reported this post for that very reason and I did not want to go behind your back.
You are smart and knowledgeable I give you that, but you need to work on some things brother PeAcE

 

[Deleted member 65228]

@danb I never said you don't have a lot of users, I said that in the real world VoodooShield is unheard of. In the real world vendors like Norton, AVG, McAfee, Avast and Kaspersky are heard of. Those are the ones with millions of customers. Avast bought AVG for £1.13b like it was buying a cake in a shop.

For the record, I don't intend to make myself sound like making a statement. All my posts are opinionated. Therefore I am not factually stating VoodooShield is unheard of, I just really doubt it is.

 

[Deleted member 65228]

@_CyberGhosT_ You reported my post as 'provocative' because I don't think VoodooShield is heard of in the real world and that I doubt hardly anyone outside of these geek forums uses it...

causing anger or another strong reaction, especially deliberately.

I'm not angry and I don't think anyone else is... My posts are opinionated. I don't force anyone to agree with me, it is natural to disagree sometimes. I don't see what the problem is, he quoted me first I just responded with my thoughts to it :/

But no problem I understand. The Report button is free for anyone to use, I didn't mean to irritate you with my post

Resolution:
@danb I am sorry if you find my post offensive because that isn't the intention, but I don't think you will mind my opinion. I am not saying VS is bad, I think it can be useful and many people here use it because they like it. I said McAfee is known in the real world IMO but I can also say that I think it is atrocious and would never go near it with a barge-pole...

 

[shmu26]

You don't have to agree with Dan or even like VS, but the way you reply is provocative and unnecessary
I wanted to say this here to you seeing I reported this post for that very reason and I did not want to go behind your back.
You are smart and knowledgeable I give you that, but you need to work on some things brother PeAcE

Mr. Ghost, I didn't see anything that deserved to be reported. No personal stuff, no trolling, just a strongly stated opinion. Although I am a default/deny addict myself, I am enjoying this discussion. But I got to get back to work...

 

[danb]

@danb I never said you don't have a lot of users, I said that in the real world VoodooShield is unheard of. In the real world vendors like Norton, AVG, McAfee, Avast and Kaspersky are heard of. Those are the ones with millions of customers. Avast bought AVG for £1.13b like it was buying a cake in a shop.

For the record, I don't intend to make myself sound like making a statement. All my posts are opinionated. Therefore I am not factually stating VoodooShield is unheard of, I just really doubt it is.

I totally agree... most novice and average users have only heard of the top 3-5 AV companies (trust me, I ask them)... and besides, companies who have been in business for 20+ years will experience significantly more brand awareness. Before I joined security forums 6 years ago, I had not heard of a lot of the products either... and I had been a computer guy for 13+ years .

I would say until 1.5 years ago, VS was pretty much unknown. But just remember, when someone loves a product, they tend to let a lot of people know about it .

 

[danb]

@_CyberGhosT_ You reported my post as 'provocative' because I don't think VoodooShield is heard of in the real world and that I doubt hardly anyone outside of these geek forums uses it...



I'm not angry and I don't think anyone else is... My posts are opinionated. I don't force anyone to agree with me, it is natural to disagree sometimes. I don't see what the problem is, he quoted me first I just responded with my thoughts to it :/

But no problem I understand. The Report button is free for anyone to use, I didn't mean to irritate you with my post

Resolution:
@danb I am sorry if you find my post offensive because that isn't the intention, but I don't think you will mind my opinion. I am not saying VS is bad, I think it can be useful and many people here use it because they like it. I said McAfee is known in the real world IMO but I can also say that I think it is atrocious and would never go near it with a barge-pole...

It's totally cool, I did not take offense at all, I promise. I just wish people could see what I see... like all of the emails and feedback I receive. Only then would you understand what is really going on.

 

[_CyberGhosT_]

@Opcode
MT goes out of it's way to help users formulate community posts by "suggesting" you post content and comments
in a manner that is productive and encouraging of discussions. My issue was with the little "rock throwing" you can back peddle
now but with out that, you had a impressive post. Your plenty smart enough to know what I am addressing as most are here,and no I will not break it down here, but is the reason I reported it.
You could have said 90% of what you said with the Digs, make sense ?
I will drop it now too so as not to further this. Thanks for trying to clean it up and clarify

 

[shmu26]

I totally agree... most novice and average users have only heard of the top 3-5 AV companies (trust me, I ask them)... and besides, companies who have been in business for 20+ years will experience significantly more brand awareness. Before I joined security forums 6 years ago, I had not heard of a lot of the products either... and I had been a computer guy for 13+ years .

I would say until 1.5 years ago, VS was pretty much unknown. But just remember, when someone loves a product, they tend to let a lot of people know about it .

VS has changed the face of security software. Dan makes it easier for the average user to get great protection.