Even simpler, don't bother to 'tweak' at all, I never do. My nephew still couldn't successfully install the fake anti-virus product he downloaded both because he didn't have the priviledge (Standard account) and the AV/AS app caught most of the trojans and other files anyway. This required me to install a properly updating security product initially, but requires absolutely no maintenance since then, since everything performs automatic updates.Originally Posted by m00nbl00d
The new SmartScreen Filter in IE 8 should improve this even further by detecting most malware before it ever reaches the filing system.
IEBlog: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter
http://blogs.msdn.com/ie/archive/200...en-filter.aspx
Spybot S&D Immunize by default places the same entires in the Hosts file, but I don't use that either. As with the current issue with Restricted Sites, large Hosts file lists often create peformance issues, though usually only on Windows 2000 and older systems that lack resources. The more common issue is with many current anti-virus products which contain monitoring features that partially conflict with such large files, causing their own performance issues.Then, why not just take the Restricted Sites Zone option, since, what you mention, would be better to place at the HOSTS file, which would prevent anything in the system to connect to that domain.
But, what the Restricted Sites Zone offers, that the HOSTS file lacks, is the capability of adding domains like *.bad-domain. com. By placing a *, the user would be blocking access to any domain within the domain .bad-domain. com, and not just to the main one.
So, such feature and such entries, are, in my most opinion, useful, and waste no resources. Most important, provide an extra layer of security.
As I stated earlier, all lists which are searched linearly will create some overhead, the only question is how much. Unless either the PC is very high performance or the lists are indexed like a database, performance will eventually suffer, it's simply a matter of at what quantity it will become noticeable.
The developers who are 'stuffing' these lists programatically don't want to hear that Microsoft doesn't support this, but they need to.This info my be useful to some person, digging through this thread. Not to me, though. But, thanks.
I'll give you some of this, since what I should have said is that UAC isn't a 'security boundary', it's merely an alerting system tied to the process elevation ability. However, UAC itself desn't create the Protected Mode, it merely enables it to function within a Standard account to provide the security. Here's the key elements and a link to the complete explanation.Actually, it is a security mechanism. When UAC is enabled, it will also enable the Protected Mode in IE7 and IE8, in Windows Vista and Windows 7. This will decrease what IE can do in the system.
UAC is also a good way to know when something is requiring elevated rights to do important changes in the system.
Let's imagine that some user would open an e-mail, and, UAC alert for something. "Houston, we have problem.".
So, UAC is much more than just an annoyance.
http://technet.microsoft.com/en-us/l.../cc749393.aspx
< SNIP >
Unfortunately the Microsoft estimate is that roughly 60% of systems out there belong to people who don't even have a current antimalware installed or being updated (expired subscriptions) on their PC, let alone those operating with several conflicting programs of dubious value.Unfortunately, it happens. But, this are people, who get, perhaps, their first system. Are not even aware of the existing dangers.
But, the main problem here, are the IT professionals. They don't alert the costumers for that very same fact. They just install a free and crippled antivirus, and that's it, pretty much.
Last year, a relative of mine, bought a computer (New computer user), and the folks where this computer was bought, only installed a free and crippled antivirus. They didn't care to explain how to update it. They haven't enabled UAC. They also didn't explain how to work with it, obvisiouly.
To make things a lot worse, they didn't create a normal user account.
Actually, though I agree with your general discussion here, I wouldn't call these 'IT professionals', they're mostly sales people and often just kids. In any case, their primary job is to get the buyer out of the store and not have them calling to ask questions, so security is of little concern to them. If they do things like turn on UAC or provide Standard accounts, most users would complain or call the store for help, so they take the easy out.
This isn't surprising and is just a portion of the symptoms of a dysfunctional computer industry that's based on selling the box rather than the services that are really needed by most customers. Unfortunately the US consumer himself is the problem here, since he wants to buy the box cheap and not pay anything for support, so he gets exactly what he paid for.
I'm not saying the system you're trying to use isn't simple enough, but is it really the most effective? If you're deciding to stay with IE 7 to keep the Spybot S&D Immunizations then you're missing the improved security features included in IE 8.Yes, I agree. That security should be simple, that is. But, just because one makes use of a layered security, that doesn't mean it isn't simple.
One can just make use of a very complex Intrusion Prevention System. But, would it be simple, then?
I know you'd rather have both, but the discussion here has asssumed that for some they appear to be mutually exclusive, at least until the perfomance problem has been resolved.
Bitman
Reply With Quote
