I gave in: Should I have?

[wreckedcarzz]

Alright, I gave in - Avast 4.8 is now running, making its little "VRDB" (Virus Recovery DataBase)

Most of the you here at DC should know that I absolutely hate security software. It rarely stays on my PC for longer than a week - I test what I can for the others in my family (mom, dad, sister) and get the software on all the PCs so that I can keep the whole wheel rolling smoothly.

My security level (minus the newly installed Avast), includes:

DMZ to this PC
Windows Firewall OFF
Windows Defender OFF
Security Center notifications DISABLED
Router firewall ON
100% Windows File Sharing (including Media, Printer, etc) ENABLED
No anti-virus, anti-spyware, anti-malware, anti-trojan, firewall, anti-rootkit, or anything like that
Irregular backups of seemingly important data onto failing hard drives

Everyone I talk to about it that asks me "What security do I use?" is always completely dumbfounded by the idea: A Windows user with no security??

So I gave in and gave Avast another shot (It was one of my favorites back during version 3, when I was security-insane). It doesn't seem to use any resources, and it hasn't gotten in my way yet (except one annoying update notification I had to roll over to get rid of).

But I am wondering: Should I keep it, switch it for something better (I am very fond of Spyware Terminator), or ditch it and go back to Russian roulette with the internet?

I am particularly interested in Kingsoft Internet Security, however a fight to keep in the black ($) is pushing my dad from buying ANYTHING for the computers. We currently have a PC Tools Internet Security 2008 subscription that will die out in a couple months, hence my searching for something to replace it that won't break the bank (literally).

Thoughts?

[f0dder]

wreckedcarzz: I'm indeed pretty dumbfounded at your previous insecurity policy - wow O_o

What I don't get is... why install Avast? STOP DOING DMZ AND ONLY FORWARD NECESSARY PORTS (uPNP is OK), turn on Windows Firewall, and make sure windows filesharing is password-protected. That removes a lot of attack vectors, and if combiend with responsible web browsing (either using Vista with IE7+UAC, thus running sandboxed, or FireFox+DropMyRights), you've eliminated most attack vectors.

[wreckedcarzz]

I don't really worry/care about security - but that's neither here nor there at this point, I'm trying to be preventative in case the crap hits the fan.

I use DMZ because all my PC's run on Dynamic IPs (DHCP) - although I just converted this PC over to an old wireless USB stick, so that has been holding the .141 suffix for the last 3 locations and 6 days, rendering that argument useless. But DMZ allows me to open all my ports to host my games, µTorrent my data [to be], and sustain 100% problem free internet, without re-forwarding ports every time something changes.

UPNP is enabled on the router (DD-WRT hax'd firmware), but it doesn't just let stuff in - it is sufficiently secure. Along with that, I run Firefox with NoScript + AdBlock Plus (IE7 is so.. ugh.. not gonna go there). UAC is disabled simply because I don't want to be asked to confirm something every time I do an admin task (several times a day).

If it turns out that this PC has a static IP, I might end up forwarding ports manually. Probably enable WF too, but it can get annoying at times...

To-do (done):

• Disable DMZ
• Forward ports manually
• Enable Windows Firewall

Done!

[f0dder]

You have a couple of options for a somewhat more sensible setup - if your router is decent, it should support MAC->DHCP mappings - which means that you can basically give some client PCs static IPs, even though they get the address via DHCP. This is really wonderful for managing computers, especially if you have more than a handful but still need to be able to connect to them directly (remote desktop connections through a VPN to machines in another city, for instance).

If it doesn't, no sweat - it sounds like your setup only really needs your machine to have a static IP. So, keep the rest of the machines on DHCP, and give yourself a static IP outside the DHCP pool range. Yeah, you'll need to change your port mappings once, but from then on you'll be running the same static IP on your client machine.

Once you've done this and disabled DMZ, only forwarding the ports you need, theoretically you don't need Windows Firewall. But it's almost free in terms of resource consumption, and it offers an additional level of protection should a machine on your LAN get infected (not very likely to happen if you live by yourself, but if you've got family or a significant other who aren't tech wizards, well... ) - I don't really believe in personal firewall outbound protection, as I've stated in multiple other threads, so Windows Firewall should be just fine.

Nice that you're running NoScript and AdBlockPlus, that definitely helps with security (although you can easily whitelist too much, and if a whitelisted server is hacked it can still be brought to serve malware - nothing is perfect). I'd suggest additionally using DropMyRights or similar with FireFox (and any internet-facing apps) since you're probably running a user account with administrative privileges. That gives an extra level of protection without too much fuzz.

With a setup like this + responsible internet browsing, you should have a pretty good chance at not getting infected, and it's certainly better than being wide open and and depending on an antivirus program to never be outdated and accidentally let something slip through . Heck, I don't even run Antivirus at all, but that's probably hubris on my part. I just haven't found one that I liked (or rather, I don't feel like shelling out for the one I like, namely Kaspersky).

Btw, after having Vista on my laptop for, what, around 10 days? I don't really get why people bitch and moan so much at UAC. It does provide a substantial amount of security (and if exploits are found, they should get patched) and imho it's not so intrusive once you've got your initial machine config+setup done. I do tend to mess around more on my workstation than my laptop though, so perhaps I'd be more annoyed on the workstation

[Deozaan]

My router supports static DHCP. All my devices are set up to use the same IP (each) at my home.

EDIT: Spelling correction.

[wreckedcarzz]

It would appear that the Dynex wireless card I have in this PC has taken the liberty of giving itself a static IP - I don't see why else it would take .141 over .3

It did this on 2 routers (both Linksys, one WRT300N v1, one WRT54G v4) with the same result, so...

I don't whitelist anything (just did my router, but I don't think that will be a "security issue". Temporarily allowing all on this page FTW!

I do run with admin privileges, because of games and the constant install/uninstall game I play with my hard drive. DropMyRights looks a bit... over the edge - I have Sandboxie, and anything I download without knowing much about I run in that first (and investigate the files it creates and whatnot). I was hoping it would be a FF add-on, but apparently not

Kaspersky is a good anti-virus tool (I used one of the old versions many years ago on a Compaq machine I had - solid tool, but uninstalling was a nightmare that lead to a reformat).

UAC is just the Windows equivalent of the Ubuntu (and I am sure other Linux distros) security dialog - but I do MUCH more admin stuff in Windows than Ubuntu, so it is like locking a door every time you go through - eventually your going to get mad and just leave it unlocked for the sake of not going mad and attacking it because you don't want to keep unlocking it (or in most people's case, reverting to XP).

@ Deo: Static DCHP? I thought DCHP was auto-assign on every request?

[Deozaan]

@ Deo: Static DCHP? I thought DCHP was auto-assign on every request?

-wreckedcarzz (October 13, 2008, 06:59 PM)

It's called Static DHCP. It ties the IP address to the MAC address.

[wreckedcarzz]

Grr, I don't have that - I chose Static IP from my list to see the options and almost screwed my connection. What router/firmware is that Deozaan?

[Deozaan]

It's a D-Link DI-624 -- but D-Link sucks, so don't get one.

That particular setting is in the same tab as DHCP settings.

[f0dder]

It would appear that the Dynex wireless card I have in this PC has taken the liberty of giving itself a static IP - I don't see why else it would take .141 over .3

-wreckedcarzz (October 13, 2008, 06:59 PM)

Depends on how the DHCP pool is setup. On home routers/accesspoints/whatever, it's common for the pool to be something like 50 addresses from .100 and onwards.

I don't whitelist anything (just did my router, but I don't think that will be a "security issue". Temporarily allowing all on this page FTW!

-wreckedcarzz (October 13, 2008, 06:59 PM)

Remember that "temporarily allow all" is the same as a temporary whitelist... and allowing *all* instead of specific sites is probably more dangerous than selective permanent whitelists.

I do run with admin privileges, because of games and the constant install/uninstall game I play with my hard drive. DropMyRights looks a bit... over the edge - I have Sandboxie, and anything I download without knowing much about I run in that first (and investigate the files it creates and whatnot). I was hoping it would be a FF add-on, but apparently not

-wreckedcarzz (October 13, 2008, 06:59 PM)

Ah yes, I'm afraid games could be quite an issue... those are often ill-programmed beasts, especially if you don't eliminate software protection for your legitimately purchased copies. Constant install/uninstall is something I left in the past, but that could be annoying too. I wish I could run sandboxie but I'm on 64bit windows so it's not a possibility - and vmware is too much hassle for everyday testing. If you run your browsers in sandboxie, you shouldn't need DropMyRights, and UAC is less relevant as well.

UAC is just the Windows equivalent of the Ubuntu (and I am sure other Linux distros) security dialog

-wreckedcarzz (October 13, 2008, 06:59 PM)

Yep - except slightly more secure because of the whole Protected Desktop thing UAC employs.

but I do MUCH more admin stuff in Windows than Ubuntu, so it is like locking a door every time you go through - eventually your going to get mad and just leave it unlocked for the sake of not going mad and attacking it because you don't want to keep unlocking it (or in most people's case, reverting to XP).

-wreckedcarzz (October 13, 2008, 06:59 PM)

The problem is with crappy developers that ought to receive some massive beatings. But it's partiallly Microsoft's fault as well - they should have dropped all Win9x windows versions after win95, and made the default account type 'limited user' already with win2k. Then we'd have less issues now...

Btw, even with routers that don't have static MAC->DHCP mapping option, many routers will keep a dynamic (until-poweroff or perhaps some timeout) MAC->DHCP table so client computers will often get the same IP. But try turning off the router and renew your addresses...

Grr, I don't have that - I chose Static IP from my list to see the options and almost screwed my connection. What router/firmware is that Deozaan?

-wreckedcarzz (October 13, 2008, 07:07 PM)

You probably tried setting a static IP for the WAN address?

[nontroppo]

I run one VM'ed Win XP without any security software *except* for SandboxIE. Seriously, sandboxing is the lowest overhead plug-n-play solution I've used. Of course the VM is running in virtual-NAT under OS X, itself NATed and firewalled. There is no 3rd party security software running under OS X either; I do miss something like SandboxIE on OS X.

Having set up a friends machine recently (regular XP user - machine was horribly infected with multiple malwares, 8 minute boot, sound was corrupted; necesitated reformat), I still find NOD32 and Spybot a lightweight combination that works. However, I made sure he runs any new programs in SandboxIE, and you should give it a go.

[wreckedcarzz]

f0dder: The router did a reboot because I changed the time zone, and I am still at 192.168.1.141

I tried Static IPs before, and I borked the network so many times... ugh...