Author Topic: Using Comodo Internet Security as an anti-executable  (Read 26964 times)

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Using Comodo Internet Security as an anti-executable
« on: August 10, 2010, 09:52:39 AM »
Guide v2.06

Revision history:
August 10, 2010: Initial guide v1.0 created.
August 24, 2010: updated guide to v2.0. Included in v2.0 is the ability to install programs with Defense+ not disabled, and protection of Comodo Internet Security from tampering by the user.
August 25, 2010: updated guide to v2.01. The recommendation in step 10 was changed.
August 29, 2010: updated guide to v2.02. Added explanation in steps 20 and 21 that a trailing * is required. Moved Notes to a separate post because this post is already long enough.
September 24, 2011: updated guide to v2.03. Added download links for Comodo Internet Security v4.1.
October 22, 2011: updated guide to v2.04. Removed material regarding an older method. Added material regarding how to prompt upon execution of unrecognized programs in CIS v5.x or later.
October 23, 2011: updated guide to v2.05. Added link to topic discussing this guide.
October 26, 2011: updated guide to v2.06. Removed material about alternative method for CIS v5.x.

In this topic I'll show how Comodo Internet Security v4.1 can be used as anti-executable software, similar to Software Restriction Policies (SRP) or AppLocker. The goal of the method presented here is that any file that a user with limited privileges can write to is non-executable by the user, and any file that a user with limited privileges can execute is non-writable by the user. We'll use built-in operating system functionality as well as Comodo Internet Security to achieve this goal. For a good explanation of this goal, see http://www.mechbgon.com/srp/, but don't follow the instructions there since we'll be using Comodo Internet Security instead of Software Restriction Policies.

This method is suitable only if your "everyday use" account has limited privileges, which includes:
  • limited user account (Windows XP) or standard user account (Vista or later)
  • admin account using User Account Control approval mode, which is the default for Vista and Windows 7

I've tested this method with CIS v4.1 on Windows 7 x64, Windows XP x86, and Windows Vista x86. CIS v4.1 x86 can be downloaded from http://www.filehippo.com/download_comodo/7708/. CIS v4.x x64 can be downloaded from http://download.chip.eu/de/Comodo-Internet-Security-64-Bit-_6804435.html - select 'Jetzt Downloaden' and then 'Software jetzt downloaden'. Note that since v4.1 isn't the latest version of CIS, virus signature updates might no longer work. This guide hasn't been updated for CIS v5.x because CIS v5.x doesn't allow for .DLL execution control.

Steps:
1. Create a full system backup, or at least a restore point, in case things go awry.
2. Install Comodo Internet Security (CIS) if you haven't already done so. You don't need to install the antivirus component if you don't want to use it. Don't restart the operating system when prompted - we'll do that in step 7.
3. Open CIS. Create and activate a new CIS configuration if desired using More -> Manage My Configurations. You can export an existing configuration and then import it to create a copy of an existing configuration.
4. Disable the CIS firewall if you don't want to use it by right-clicking on the CIS tray icon -> Firewall Security Level -> Disabled.
5. Disable the CIS sandbox if you don't want to use it by right-clicking on the CIS tray icon -> Sandbox Security Level -> Disabled.
6. Disable Defense+ by right-clicking on the CIS tray icon -> Defense+ Security Level -> Disabled. We'll enable Defense+ later when we're done configuring everything.
7. If you're installing CIS, restart the operating system.
8. Open CIS if it's not already open. Go to Defense+ -> Advanced -> Defense+ Settings -> General Settings. Uncheck all 4 checkboxes. Change 'Keep an alert on the screen for (seconds)' to 999.

9. Go to Monitoring Settings. Uncheck all checkboxes except for Interprocess Memory Access and Processes' Termination. You can monitor other areas if you like but they are not required for the purposes of this method. Press OK.

10. Go to Defense+ -> Advanced -> Image Execution Control Settings -> General. Do either option 1 or option 2, but not both.
Option 1. If you want to monitor .exe and .com files, then set the slider to Normal. This option offers weaker security than option 2 because .dll and .bat files are not monitored, but unlike option 2 there aren't any extraneous "false positive" prompts.

Option 2. If you want to monitor .exe, .com, .dll, and .bat files, then set the slider to Aggressive. This option offers stronger security than option 1 because .dll and .bat files are also monitored, but unfortunately sometimes results in "false positive" prompts - prompts when execution wouldn't truly occur. Therefore, when using this option I recommend using the Parental Control feature to suppress Defense+ prompts - more on this below.

11. Go to Files to Check. Delete all existing entries. Click Add -> Browse. Type * and then press Apply. Press Yes. Press OK.

12. Go to Defense+ -> Common Tasks -> My Protected Files -> Groups -> Add -> A New Group. Type Global Blacklist and then press Apply. Select entry Global Blacklist. Click Add -> Select From -> Browse. Type * and press Apply. Press Yes.
13. Press Add -> A New Group. Type Global Whitelist and then press Apply. Select entry Global Whitelist. Click Add -> Select From -> Browse. Type * and press Apply. Press Yes.
14. This step can be skipped if you intend to always disable Defense+ when installing programs. Go to Windows Explorer. Create a folder that will be used only for launching program installers. I recommend creating a folder inside the user profile of the account that will be used when installing programs. For example, I created folder C:\Users\elmoadmin\Run. elmoadmin is the name of the admin account that I use to install software. Note to Windows XP users: user profiles are stored in the Documents and Settings folder.
15. This step should be skipped if and only if you skipped step 14. In CIS, press Add -> A New Group. Type User's Installers and then press Apply. Select entry User's Installers. Click Add -> Select From -> Browse. Select the folder that you created in step 14. Press "->". Press Apply.
16. The last three (or two if you skipped steps 14 and 15) file groups in My File Groups should look similar to the last three (or two) file groups below. The item order doesn't matter. Press Apply. Press Apply.

17. Go to Defense+ -> Advanced -> Computer Security Policy. Delete all existing policies.
18. Press Add -> Select -> File Groups -> Windows Updater Applications -> Apply. Select policy Windows Updater Applications. Click Edit -> Use a Predefined Policy. Choose 'Installer or Updater' from the list. Press Apply.
19. Skip this step if and only if you skipped steps 14 and 15. Press Add -> Select -> File Groups -> User's Installers -> Apply. Select policy User's Installers. Click Edit -> Use a Predefined Policy. Choose 'Installer or Updater' from the list. Press Apply.
20. Press Add -> Select -> File Groups -> Global Blacklist -> Apply. Select policy Global Blacklist. Click Edit -> Access Rights -> Modify (the Modify that's next to 'Run an executable')  -> Blocked Applications -> Add -> Browse. Here we want to specify the files that will be blocked from executing. Unfortunately, by default some folders within \Windows are both writable and executable by a user with limited privileges. Those folders should be blocked from execution. The folders to select are as follows. Your Windows folder may be in a different location than mine is - use the appropriate location for your system.

Windows XP x86:
c:\windows\Debug\UserMode
c:\windows\Registration\CRMLog
c:\windows\Tasks
c:\windows\Temp
c:\windows\system32\spool\PRINTERS

Windows Vista:
c:\windows\Registration\CRMLog
c:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
c:\windows\System32\com\dmp
c:\windows\System32\FxsTmp
c:\windows\System32\spool\drivers\color
c:\windows\System32\spool\PRINTERS
c:\windows\System32\Tasks
c:\windows\SysWOW64\com\dmp - only if you use x64
c:\windows\SysWOW64\FxsTmp - only if you use x64
c:\windows\SysWOW64\Tasks - only if you use x64
c:\windows\Tasks
c:\windows\Temp
c:\windows\tracing

Windows 7:
c:\windows\debug\WIA
c:\windows\Registration\CRMLog
c:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
c:\windows\System32\com\dmp
c:\windows\System32\FxsTmp
c:\windows\System32\spool\drivers\color
c:\windows\System32\spool\PRINTERS
c:\windows\System32\Tasks
c:\windows\SysWOW64\com\dmp - only if you use x64
c:\windows\SysWOW64\FxsTmp - only if you use x64
c:\windows\SysWOW64\Tasks - only if you use x64
c:\windows\Tasks
c:\windows\Temp
c:\windows\tracing

Press Apply -> OK -> Apply -> Apply.

Note that all entries must end with * - see figure below.

21. Press Add -> Select -> File Groups -> Global Whitelist -> Apply. Select policy Global Whitelist. Click Edit -> Access Rights -> Modify (the Modify that's next to 'Run an executable') -> Allowed Applications -> Add -> Browse. Here we want to specify the files that will be allowed to execute without prompts. Select C:\Program Files. Press "->" button. Select C:\Windows. Press "->" button. If you're using x64, select C:\Program Files (x86) and press "->" button. These folders may be in different locations on your system - use appropriate locations. If you didn't skip step 14, then select the folder created in step 14 and press "->" button. Press Apply -> OK.

Note that all entries must end with * - see figure below.

22. The purpose of this step is to avoid unnecessary (for the purposes of this method) Defense+ prompts. Skip this step if you wish to see these prompts. Set Interprocess Memory Accesses to Allow. Set Processes' Termination to Allow. Set Window Messages to Allow.

23. Press Apply -> Apply.
24. Press Add -> Select -> File Groups -> COMODO Internet Security -> Apply. Select policy COMODO Internet Security. Click Edit -> Protection Settings. Set Interprocess Memory Accesses to Yes. Set Windows/WinEvent Hooks to No. Set Processes' Termination to Yes. Set Windows Messages to No. Press Apply -> Apply.

25. Ensure that the policies look similar to below. The order of the policies must be the same as shown. The files in the file groups Windows Updater Applications and COMODO Internet Security may vary from what is shown. Press Apply.

26. Change CIS Defense+ mode to Paranoid Mode by right-clicking on the CIS tray icon -> Defense+ Security Level -> Paranoid Mode.
27. Run programs that you normally use and check if everything seems to be working properly. Check if rebooting works properly. CIS will prompt upon execution of any files not explicitly allowed or blocked by your ruleset, unless suppression of Defense+ prompts is enabled - more on this later.

Please post any feedback about this guide at https://forums.comodo.com/install-setup-configuration-help-cis/feedback-for-topic-using-comodo-internet-security-as-an-antiexecutable-t77783.0.html.

Please see my next post for notes.
« Last Edit: October 27, 2011, 01:24:14 AM by MrBrian »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
Re: Using Comodo Internet Security as an anti-executable
« Reply #1 on: August 10, 2010, 01:25:16 PM »
Seems like this might be made a FAQ entry. What do you think?

Best wishes

Mouse

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Using Comodo Internet Security as an anti-executable
« Reply #2 on: August 10, 2010, 08:00:00 PM »
Notes:

  • If there is any person who uses your computer's operating system that is not trustworthy, or wise about answering prompts, then I suggest setting the Parental Control feature as covered in the previous note.
  • Don't add any files writable by a user with limited privileges to the list in step 21, except for possibly the folder created in step 14. Doing so violates the goal of this method. If it's absolutely necessary to execute a file writable by a user with limited privileges, then use a separate policy with rules as specific as possible. For example, the latest version of Adobe Flash in Internet Explorer creates a temporary DLL of varying names with a .tmp extension in a location writable by a user with limited privileges. My ruleset has a separate policy for the Flash executable, specifying that it's allowed to execute C:\Users\elmoadmin\AppData\Local\Temp\*.tmp .
  • You may view the list of files blocked from executing by going to Defense+ -> Common Tasks -> View Defense+ Events. Not all files listed here were necessarily blocked.
  • Some files may legitimately need to execute within \Windows\Temp, which is blocked from execution in step 20. A policy can be created to allow execution within C:\Windows\Temp for specific programs. Such a policy must precede the Global Blacklist policy in the list of policies.
  • Windows installer (.msi) files and PowerShell scripts are not by default blocked by this method. However, the main executables for Windows Installer (msiexec.exe) and PowerShell could be added to the list in step 20.
  • A good test case that your rules are working properly is Firefox portable. Install it in a folder not already explicitly allowed or blocked in your ruleset. Executing Firefox portable should result in prompts for .exe files. If you followed option 2 in step 10, then there should also be prompts for .dll files. Get Firefox portable at http://portableapps.com/apps/internet/firefox_portable.
  • If you're using a standard (or limited) user account, I recommend periodically auditing the standard account for permissions issues using Windows Permission Identifier, AccessChk, or AccessEnum. See http://www.wilderssecurity.com/showthread.php?t=268435 for more details. Doing so helps achieve the goal stated at the beginning of this post.
  • I haven't run into any problems installing Windows Updates when Defense+ is active.
« Last Edit: August 29, 2010, 07:40:15 PM by MrBrian »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
Re: Using Comodo Internet Security as an anti-executable
« Reply #3 on: August 11, 2010, 03:19:23 AM »
I'm not sure if you're asking me; if you are, that's fine with me provided that others find it useful :). My other method is in the Important Topics section of this forum.

Well yes really. Having thought about it I think this is more like configuration guide material, so I'd plan to move it there later today if you have no objections.

I certainly think others will find it useful. Thanks for all your hard work on this, and your previous guides.

Best wishes

Mouse

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Using Comodo Internet Security as an anti-executable
« Reply #4 on: August 13, 2010, 07:46:16 PM »
From a post from brucine in another thread - http://forums.comodo.com/virusmalware-removal-assistance/rootkittmphider-t59193.0.html;msg424247#msg424247 - in response to my post http://forums.comodo.com/virusmalware-removal-assistance/rootkittmphider-t59193.0.html;msg423927#msg423927:
Quote
For some reasons, i am not able to answer to the thread you link, but i am not sure to get your point.

First, of course, most people do not run XP under a low privileged account, precisely because they don't want to be bothered when they modify or install whatsoever.

Next, one of course cannot agree for disabling defense+ for setting purposes: if doing so, the network cable should be unplugged.

But your approach somehow makes the assumption that threats should always come from online malware penetration.

One curious thing enough is that a lot of people want to use CIS against some potentially very dangerous behaviors, including online gaming, instant messenging, and p2p networks.

In this last event, people don't usually download the pictures of their grand-mother, but not legit media or software materials.
They then deliberately install the said files and, speaking of software, most often to the default Program Files location: i see no instance where the said location should be made as trusted, and as a matter of consequence, no way to make of defense+ a "quiet" software for the only benefiit of less alerts.

Thank you brucine for your feedback.

My method adds anti-execution protection for those using an account with limited privileges as their everyday account. Running with limited privileges has been made much easier in Vista and Windows 7 due to User Account Control (UAC). Running with limited privileges in most cases prevents system compromise upon malware execution. However, malware running in an account with limited privileges can nonetheless do many bad things short of system compromise. Using anti-execution technology, such as the method presented in this topic, in most cases stops malware from executing in a limited privilege account. If malware cannot execute, then it cannot hurt you. :)

If a user chooses to install software that happens to be malicious and gives it admin privileges, then it's "game over" from my perspective. The answer here is simple: don't install rubbish.

Some malware - for example the proof-of-concept from the Rootkit.TmpHider thread - evades anti-execution technology that handles exes but not dlls. Thus, I hope that Comodo doesn't abandon dll coverage in future CIS versions, as was stated by egemen.
« Last Edit: August 13, 2010, 07:48:24 PM by MrBrian »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Using Comodo Internet Security as an anti-executable
« Reply #5 on: August 13, 2010, 11:26:48 PM »
From http://arstechnica.com/microsoft/news/2010/03/half-of-windows-flaws-mitigated-by-removing-admin-rights.ars:
Quote
In total, 64 percent of all Microsoft vulnerabilities reported last year are mitigated by removing administrator rights. That number increases to 81 percent if you only consider security issues marked Critical, the highest rating Redmond gives out, and goes even higher to 87 percent if you look at just Remote Code Execution flaws.

...and that's without using anti-execution protection ;).

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek