Firewall/Defense+ more secure than Win7 tools?

[Guest]

[ssj100]

Linux security is a joke. Do you really think having a limited/full user distinction is a better idea than a privilege/access-based system which Windows was designed for? Linux will fail spectacularly when more people begin to use it and are prone to social enigneering attacks. Linux doesn't have a global object manager with ACLs like Windows has. Linux doesn't even have filesystem ACLs by default. When MS changes Windows to utilise its privilege system even more, you won't be seeing many viruses at all.

And speaking of jokes, software restriction policies are also a joke. They are implemented in user-mode by CreateProcess, and can easily be bypassed by some code patching or simply starting processes using the Native API.

SRP is a simple windows tweak.  It takes up no resources and doesn't need updating.  It's also a very powerful anti-executable and I've yet to see it bypassed by real-world malware.  I know there are POCs available out there (created by Didier Stevens I think) that can bypass SRP, but it requires an untrusted/unknown file to be run on the REAL system - something that shouldn't be done if you want to be "100%" - you should always run these files virtualised with Sandboxie or in a sandboxed VM.

Regardless, LUA + SRP + DEP (or equivalent) is ample security for most people, and will protect you from 99.99999% of real-world malware.

[res1stanCe]

[at]wj32
stop talking nonsense...

you have no idea from linux ,but post only bull**** over linux oO that is

I wasn't talking about Linux, I was talking about Windows. Unlike you, I can find problems with both Windows and Linux, not just the platform I dislike.

only in windows the policies are a joke ,not in linux

oO? i can find problems too ,wannabe expert... talk nonsense to others like you

[wj32]

I know there are POCs available out there (created by Didier Stevens I think) that can bypass SRP, but it requires an untrusted/unknown file to be run on the REAL system

What's that meant to mean? Are you saying software restriction policies are secure simply because you won't test them? That's like saying having a crap password is secure just because you won't "let" any untrusted/unknown people have your email address. The truth is it is very easy to bypass SRPs simply by using RtlCreateUserProcess or any non-CreateProcess-based method of starting processes. Dismissing that as just a POC is just ridiculous. Have you got any proof that this technique can't be used easily by malware?

Sure, you can try to make sure you don't run the wrong executables, but people make mistakes, and SRPs won't protect you.

But can you explain how you are using SRPs against malware? Are you restricting the places from which programs you (the user) start?

[tcarrbrion]

The truth is it is very easy to bypass SRPs simply by using RtlCreateUserProcess or any non-CreateProcess-based method of starting processes.

If you control what can be run with LUA and SRP how can the program using RtlCreateUserProcess run to start the malware?

[wj32]

If you control what can be run with LUA and SRP how can the program using RtlCreateUserProcess run to start the malware?

Who/what are you controlling in the first place? Are you preventing user mistakes or preventing programs from starting other programs? Keep in mind that starting programs isn't the only way to execute code - SRPs won't protect you against flaws in network services, and neither will LUA.

[tcarrbrion]

So far SRP/LUA/DEP has stopped everything the inexperience members of my family have tried to pick up while browsing or using messenger. I do run CIS on top of this but I don't think it has yet done anything useful. My own experience is very limited but everything I have heard suggests this is generally valid.

Personally, I like to play safe so I have CIS with antivirus, firewall and defence+.

Maybe if SRP became more common there would be more malware getting round it.

[wj32]

My point was that although Windows security is already sufficient (excluding bugs in system services, etc.), few users actually take the necessary precautions or are bothered to configure Windows properly. That's why CIS helps.

[SS26]

My point was that although Windows security is already sufficient (excluding bugs in system services, etc.)

How about protection against data leaks by trojans/keyloggers/screenloggers?  These not always are dependent on admin credentials, aren`t they?
There are some number of PoCs out there (including COT by Comodo).  Besides there are real-world samples: i saw (TV) news where virus writer was arrested because he stole money from people's electronic payment accounts (WebMoney system) using special own virus.
       Is standard (without 3rd party security applications) Windows capable to prevent such data leaks? 
Or the answer is: UAC can stop execution of all unknown executables ?

[dkmc]

Some Linux robots here do not understand that claiming anything soul desires has nothing to do with facts.  

[tcarrbrion]

Or the answer is: UAC can stop execution of all unknown executables ?

A simple software restriction policy can stop execution of unknown programs for limited users. This includes administrators with UAC turned on but it may not be so secure in that case.

[ssj100]

What's that meant to mean? Are you saying software restriction policies are secure simply because you won't test them? That's like saying having a crap password is secure just because you won't "let" any untrusted/unknown people have your email address. The truth is it is very easy to bypass SRPs simply by using RtlCreateUserProcess or any non-CreateProcess-based method of starting processes. Dismissing that as just a POC is just ridiculous. Have you got any proof that this technique can't be used easily by malware?

Sure, you can try to make sure you don't run the wrong executables, but people make mistakes, and SRPs won't protect you.

But can you explain how you are using SRPs against malware? Are you restricting the places from which programs you (the user) start?

All I'm saying is that SRP is a powerful anti-executable.  Why are you asking if I have "any proof that this technique can't be used easily by malware?"  Of course it can be used by malware.  But I have yet to see an example of this malware in the real world.  Have you?  That's why I said it's a POC.  Why is that ridiculous?  Have you seen real-world malware that uses this technique?

Yes, people make mistakes all the time.  I could also make the mistake of putting a pipe bomb in my room and blow up my computer.  The point is that if you are going to talk about user error, then every "security setup" is equally prone to malware infestation.

I use LUA + SRP.  SRP is mostly in its default configuration except for a few tweaks as mentioned here:
http://www.mechbgon.com/srp/

The beauty of this combination is that everything can run from C:\Program files and C:\Windows, but nothing can write to them.  All executables (even scripting and command prompt executables) outside of C:\Program files and C:\Windows are blocked from running.

Sure, I guess theoretically everything is able to be bypassed if you try hard enough.  But I'd imagine it would be very hard to bypass Sandboxie + LUA + KAfU + SRP + DEP haha!

Ultimately, the point is that LUA + SRP will keep you safe from 99.99999% of real-world malware.  Don't forget that having a good "security approach" is very important.  A good "security approach" means things like:
1. Not clicking willy nilly on ads in web-sites etc
2. Not visiting dodgy web-sites without the appropriate security measures (eg. sandboxing, light virtualisation).
3. Not running unknown/untrusted files on your REAL system until you've taken appropriate measures to ensure the files are clean.
4. etc etc.

EDIT: Finally, LUA + KAfU+ SRP + DEP are simply windows tweaks!  Why not enable them?  Even if they provide very minimal protection (like DEP), there's no harm in enabling them!  They don't take up system resources, they never need to be updated, they are FREE etc!

[ssj100]

My point was that although Windows security is already sufficient (excluding bugs in system services, etc.), few users actually take the necessary precautions or are bothered to configure Windows properly. That's why CIS helps.

That's an interesting way to make that point haha.  You implied quite heavily that SRP is very very weak and is easily bypassed.  And yet I haven't seen you provide proof of real-world malware that can bypass SRP.

By the way, CIS does NOT help in a lot of cases.  People still need to have some level education on what the classical HIPS is doing/asking when it pops up.  A lot of people out there would just click allow for everything!

A proportion of these people can be educated though.  But if they can be educated to handle a classical HIPS, then they can also be educated to use simple windows tweaks!

[wj32]

No, theoretically NOT everything can be bypassed if you try hard enough. This is a complete myth perpetrated by idiotic non-programmer security "experts". If you have the right setup, it will be impossible for malware to do any harm. It's then just a matter of user choice. SRPs do NOT fit this category because they are not 100% safe. It's that simple. Now a kernel-mode hook on NtCreateThread(Ex) WOULD be 100% safe and impossible to bypass (for the purposes of intercepting process creation).

And similarly, just because YOU haven't seen an example of malware using a technique doesn't mean it's not being used. And even if it's not being used, having a non-bulletproof technique is not good enough.

You still haven't explained how you're using SRPs. Are you controlling the user or programs?

[ssj100]

No, theoretically NOT everything can be bypassed if you try hard enough. This is a complete myth perpetrated by idiotic non-programmer security "experts". If you have the right setup, it will be impossible for malware to do any harm. It's then just a matter of user choice. SRPs do NOT fit this category because they are not 100% safe. It's that simple. Now a kernel-mode hook on NtCreateThread(Ex) WOULD be 100% safe and impossible to bypass (for the purposes of intercepting process creation).

And similarly, just because YOU haven't seen an example of malware using a technique doesn't mean it's not being used. And even if it's not being used, having a non-bulletproof technique is not good enough.

You still haven't explained how you're using SRPs. Are you controlling the user or programs?

So what is the setup to be 100% safe?  Keep in mind "user error" and "usability/convenience".  I feel I have achieved "100%" with Sandboxie + LUA + KAfU + SRP + DEP + (SuRun) + a good "security approach".  Runs very nicely and with excellent usability/convenience.

Not quite sure what you're asking with how I am using SRP.  I've already told you by giving that link:
http://www.mechbgon.com/srp/
I am not using "Basic User" for programs etc if that's what you're asking - Sandboxie is a much more powerful alternative.
Also I'm not sure why you keep emphasising/implying that SRP is weak and a "joke" when you've already stated that practically, Windows built-in security is all you need.  I've not even said anything about SRP being 100%.  All I've said is that it's a powerful protection tool that is simply a windows tweak.  Personally however, my own setup is primarily protected by Sandboxie and containing/blocking all malware "threat-gates" with it.

Oh, and it's not just ME that hasn't seen an example of malware using that technique.  You haven't either.  And many others too.  The point is that it's incredibly rare.  So what is your bullet-proof technique to block everything out there?  It's all very well saying that you can be 100% safe in theory.  But that doesn't help us much in practise.  All I'm hearing is talk so far and no illustration/examples.  Thanks for the information.

EDIT: Also are you having a bad day or is this just how you are?  Your writing tone seems to suggest that you are very upset haha:
"...idiotic non-programmer security "experts"".

[EricJH]

All I'm saying is that SRP is a powerful anti-executable.  Why are you asking if I have "any proof that this technique can't be used easily by malware?"  Of course it can be used by malware.  But I have yet to see an example of this malware in the real world.  Have you?  That's why I said it's a POC.  Why is that ridiculous?  Have you seen real-world malware that uses this technique?

Yes, people make mistakes all the time.  I could also make the mistake of putting a pipe bomb in my room and blow up my computer.  The point is that if you are going to talk about user error, then every "security setup" is equally prone to malware infestation.

I use LUA + SRP.  SRP is mostly in its default configuration except for a few tweaks as mentioned here:
http://www.mechbgon.com/srp/

The beauty of this combination is that everything can run from C:\Program files and C:\Windows, but nothing can write to them.  All executables (even scripting and command prompt executables) outside of C:\Program files and C:\Windows are blocked from running.

Sure, I guess theoretically everything is able to be bypassed if you try hard enough.  But I'd imagine it would be very hard to bypass Sandboxie + LUA + KAfU + SRP + DEP haha!

Ultimately, the point is that LUA + SRP will keep you safe from 99.99999% of real-world malware.  Don't forget that having a good "security approach" is very important.  A good "security approach" means things like:
1. Not clicking willy nilly on ads in web-sites etc
2. Not visiting dodgy web-sites without the appropriate security measures (eg. sandboxing, light virtualisation).
3. Not running unknown/untrusted files on your REAL system until you've taken appropriate measures to ensure the files are clean.
4. etc etc.

  Don't forget that having a good "security approach" is very important.  Here you are introducing user behaviour as an unexpected extra. Since you are stating it is very important that means to me that human behaviour is at least equally important comparing to the technological measures. That makes a 50/50 equation at best. Not only that is a dirty debate trick but far more important it practically means that lot's of hormone driven male surfers cannot mindlessly trust on "Sandboxie + LUA + KAfU + SRP + DEP" solution for porn surfing. Now that is what I call a real world scenario. As far as I am concerned you just shot yourself in the foot....

[Tags:]