Author Topic: Configuring Defense+ for min alerts & good security under admin account in XP  (Read 73615 times)

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #15 on: March 22, 2009, 07:06:45 AM »
We can divide how malware runs into 2 categories: an executable we intended to run but didn't realize was malicious, and unintended malware execution.

Case 1 - executable we intended to run but didn't realize was malicious: We can lessen the chance of this happening by getting software from only trustworthy sources. Also, use antivirus software. I scan all downloads with 3 antivirus products before I run them. Another possibility is to use a browser with a good malware reputation system, so that you are warned about malicious downloads by the browser itself. According to a recent study, Internet Explorer 8 has by far the best malware reputation system - see http://www.wilderssecurity.com/showthread.php?p=1428720.

Case 2 - malware we didn't intend to run: This can happen in multiple ways:
a) Attack on a network service with a vulnerability - either mitigated or entirely prevented by using a hardware firewall (e.g. a router) and/or a software firewall.
b) Automatic execution from insertion of infected USB sticks or removable media via autorun technologies - can be entirely prevented by turning off autorun for all drives - see http://www.windowssecrets.com/2009/03/05/02-AutoRun-patch-a-long-time-coming-for-XP-users and http://windowssecrets.com/2009/03/12/02-Microsoft-flubs-a-way-to-disable-AutoRun-in-XP.
c) Malware shellcode execution upon buffer overflow when exposed to malicious content - most cases hopefully prevented by CIS setting for 'Detect shellcode injection'. Example: viewing a rigged PDF in a vulnerable version of Adobe Reader
d) Malware execution by using a given program's programmability features when exposed to malicious content - mitigation strategies vary for each program; in Microsoft Office, for example, macros can be disallowed or selectively allowed. An example of how malicious code can run from a Microsoft Office macro is found at http://blog.didierstevens.com/2008/10/23/excel-exercises-in-style/.

Let's examine how case c is handled by my CIS approach. Other security measures outside of CIS, such as antivirus or Data Execution Prevention, may or may not prevent the malware from executing. Let's suppose these other security measures would not prevent the malware from executing. In case c, hopefully CIS Shellcode Injection technology, if you enabled it, would prevent the malware's shellcode from executing. If not, the malware shellcode may have been able to execute. The malware shellcode, in my understanding, almost always then downloads and runs an executable that carries out whatever the bad guys want to occur. The first action, the downloading of the executable by the shellcode running inside the attacked program, could possibly result in a CIS firewall alert, depending on your Firewall Security Level and the existing firewall policy for the attacked program. This is the one of the reasons I recommended in an earlier post to use as specific as possible of a firewall policy instead of a more general firewall policy. If this fails, then the malware shellcode will attempt to run the downloaded executable. If the downloaded executable did not overwrite an existing previously allowed executable, then you should get a D+ file execution alert. If the downloaded executable overwrites an existing previously allowed executable, then my CIS approach will not prevent the malware execution; however, the next time you run NIS Filecheck or FingerPrint, you should be able to detect what happened, and revert to an earlier system backup.

Keeping your software up to date is important in minimizing the risks for unintended malware execution by exposure to malicious content. Secunia PSI is highly recommended for keeping 3rd party programs up to date.
« Last Edit: March 26, 2009, 07:53:30 PM by MrBrian »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #16 on: March 22, 2009, 07:15:24 AM »
If you are not running under a limited/standard Windows account, then I highly recommend using the 'Basic User' setting in Windows Software Restriction Policies on all programs that might be exposed to malicious content, such as web browsers, media players, Adobe Reader, Microsoft Office, etc. More info on this technique can be found at http://www.broadbandreports.com/forum/remark,14461638. Doing so removes administrative abilities from the programs that are set to 'Basic User', which in turn reduces what these programs can do when exposed to malicious content. You can use Process Explorer to verify that a program is running with limited rights by selecting a process, right-clicking and choosing Properties, going to Security tab, and verifying that the BUILTIN\Administrators item has the flag Deny to the account you are using.

From http://blogs.technet.com/msrc/archive/2006/06/02/432029.aspx:

"Hi everyone.  It's Stephen Toulouse again. We’re of course still hard at work on an update for the Word vulnerability. All indications still point to this being a very limited, targeted attack but we're still spending a lot of time thinking about how customers can protect themselves from this vulnerability.  Today we've made a couple of minor changes to the advisory we posted on this issue to provide more clarity on the workarounds.  Here's the link to the advisory:

http://www.microsoft.com/technet/security/advisory/919637.mspx

But let's talk more about what can be done in general to help be protected from attacks that are similar to this.  We’ve seen some security researchers post write ups around using a Software Restriction Policy to run instances of winword.exe in 'Basic User' mode.  This does serve to block all the malware we've seen using this vulnerability so far.  It’s more of a mitigation rather than a workaround, which prevents the exploitable condition.

What we’ve seen in general with these types of attacks is that the "Basic User" Software Restriction Policy is a "good practice" kind of mitigation that can prevent this specific malware from being successful. Michael Howard wrote about the "Basic User" SRP in his Writing Secure Code column.  The reason it works in this case is because the malware attempts to install a kernel-mode rootkit and the "Basic User" mitigation does not allow this to happen.  It’s key to note however that an attacker could find a way to bypass this mitigation but we haven't seen that yet.

So if you’re looking for a more general way to add another layer to help protect against attacks like these, the SRP mitigation can work for many different types of Malware."
« Last Edit: March 22, 2009, 01:25:02 PM by MrBrian »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #17 on: March 22, 2009, 07:26:52 AM »
An alternative here is to have an alternative configuration for installation that only monitors the most dangerous things. I have started to explore this option.

Yes that is a good idea. I also looked into this in the past, and created a predefined security policy for this task, but as I recall there were some issues with it, at least in the older version of CFP that I was using.

Offline sirio

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1736
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #18 on: March 22, 2009, 10:34:09 AM »
Hi sirio,

Yes you are right about your interpretation about what my recommendations are. I had similar views to yours in the past. I've come to realize though, that I have pretty safe computing habits, and thus what I was doing in D+ was overkill for my circumstances; for example, I scan all downloaded programs with 3 antivirus programs before I execute them. Thus I changed my D+ philosophy to being mostly about making sure that only trustworthy code is executed. The attempted execution of unintended code, via exploits etc., should in most cases raise an alert, and thus can be prevented. Code can't damage your system if it isn't allowed to execute. If your computing habits tend towards risky behavior, the approach I describe might not be for you.

I first of all apologize for mine bad English, I hope to succeed in explaining well me.

I don't have dangerous behaviors however I like to experiment and therefore to try to see what it happens involving itself as a middle user that uses an account admin with a configuration by default without change some.
Because we say the truth, how much are the users that before of to execute a file they scan it with 3 different AVs?

Quote
[...]

There are certainly threat vectors that your approach will handle that mine will not. However, there are some threat vectors that my approach handles that your approach probably doesn't. First example: you download a program that contains a rootkit dropper but you don't realize it. With your approach, because of all the alerts potentially generated during installation, you probably use Installation Mode, which would allow the installation of the rootkit without any alerts. My approach, requiring fewer alerts, makes it feasible to not use Installation Mode during installation, and thus the device driver installation monitoring would hopefully pay off here in an alert and thus prevention of rootkit installation.


I have always been convinced that also set D+ in Install Mode the HIPS protected us in every case, therefore today I have made a test performing the installation of a rootkit putting the D+ in Install Mode, we see how it behaves:

http://www.virustotal.com/analisis/f43182b04e98d9cf7036b029bc633a61

http://camas.comodo.com/cgi-bin/submit?file=6273a133153e6382d2eabdd277b7b799a60b59cbd69ee4077e1c128e87193bd2







   :ilovecomodo:

and after a scanning with gmer we can see:

Then my conclusion is that set in Install Mode D+ with the configuration of default, it protects us from the dangerous activities executed from the malwares.


Quote
Second example: the default shipped policy with explorer.exe allows execution of any code without alert, right? Let's suppose you have a vulnerable version of Adobe Reader, and a rigged pdf. According to Didier Stevens (at http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/):

"This explains how the PDF vulnerability can be exploited without you opening the PDF document. Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability. Just like it would when you would explicitly open the document. In fact, we could say that the document is opened implictly, because of your actions with Windows Explorer."

The Adobe pdf explorer shell extension runs as a .dll within explorer.exe. Thus, if you click on a rigged pdf in Windows Explorer, and this results in code being executed that downloads and runs a malicious file, your D+ policy for explorer.exe will allow this without alert. In my approach however, I would get an alert, because I altered my D+ policy for explorer.exe.

An additional benefit of this approach for me is that I will hopefully be able to move to a newer version of CIS than v3.0.14.276, which I currently use. The smaller D+ ruleset size of this approach will result in less time in the processing of remembered answers in D+ alerts. Earlier versions such as v3.0.14.276 do not have this issue.

I think that you should try the new version of CIS, the 3.8 where from default they have been made some important changes in the Computers Policy of D+ for services.exe and rundll32.exe.

Quote
You of course can add whatever additional D+ protections you want, since it's your computer. You could choose to merely adopt the practice of moving allowed executables to the 'All Applications' policy, but keep all of your existing D+ protections in place. D+ is very configurable :).


I have noticed ;D in every way you have given me some good ideas on which to experiment. Thanks.

Ciao,

sirio. :)
« Last Edit: March 24, 2009, 05:37:34 AM by sirio »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #19 on: March 22, 2009, 01:20:12 PM »
I have always been convinced that also set D+ in Install Mode the HIPS protected us in every case, therefore today I have made a test performing the installation of a rootkit putting the D+ in Install Mode, we see how it behaves:

Thank you sirio for the post. I looked at the images you provided. It seems that you were not actually using the special Installation Mode though, because the whole purpose of Installation Mode is the suppression of alerts for installers, yet your images show that many alerts occurred. By the way, I have tried v3.8 in a virtual machine, so I did get to see its default configuration.

The approach I have outlined is geared more towards prevention of malware execution in the first place than detection within CIS itself of malware that has or is executing, although my approach has some detection capabilities as well. Malware that isn't allowed to execute cannot harm you. My approach also hopefully prevents the installation of rootkits by malware that has already executed, via device driver installation detection. Behavioral blockers such as ThreatFire can do an excellent job of detecting malware that is already running, and thus I recommend using one with my approach. Running NIS Filecheck, Autoruns, What's Running, and HijackThis as described in a prior post serves as a detection mechanism of malware that has already executed. On-demand antivirus scanning is another detection mechanism; I recommend Avira Antivir and Avast for free antivirus. On-demand anti-rootkit scanning is yet another detection mechanism; I recommend Panda Anti-rootkit, Rootkit Unhooker, GMER, and RootRepeal for anti-rootkit scanners.
« Last Edit: March 22, 2009, 01:26:26 PM by MrBrian »

Offline tcarrbrion

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 672
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #20 on: March 22, 2009, 02:17:21 PM »
One big problem with a software restriction policies is that Microsoft does not allow home users to use them. You have to pay a big premium for loads of features you don't need to get secpol.msc and secure your PC properly.

CIS can be used a bit like a software restriction policy. I share my PC and everyone, including me, logs on as limited user. I use clean PC mode and get no pop-ups in normal use. To make sure I set the parental control in CIS. If you then only allow explorer and CMD to run C:\program files and c:\windows then all software is restricted. I have had almost no problems with this. If something does not run I can check the log to see if anything has been blocked but with 3.8 I don't think anything has. In this way users can only run from directories they cannot write to.

Windows system application can still run any program. I have not tried restricting them.

I do not have the problem of lots of rules slowing CIS down. The only problem I have is clearing down my pending files after a big install. If only there was a multiple file select. I also only allow programs that run as limited user. This can be a problem with some games, particularly older ones.

Having a different configuration for installation avoids having to turn off parental control. Turning parental control on and of is a pain at the moment as you have to re-enter the password so many times.

This approach gives high security with very little work.

Offline tcarrbrion

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 672
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #21 on: March 22, 2009, 02:37:10 PM »
An example of how malware shellcode can run from a Microsoft Office macro is found at http://blog.didierstevens.com/2008/10/23/excel-exercises-in-style/.

If the whole program was written and executed in this way how would CIS stop it? As limited user it could not do much to the system. It could, however,  encrypt all your documents and demand a ransom. It could also spy on you and connect to the internet.

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #22 on: March 22, 2009, 03:24:35 PM »
If the whole program was written and executed in this way how would CIS stop it? As limited user it could not do much to the system. It could, however,  encrypt all your documents and demand a ransom. It could also spy on you and connect to the internet.

If the macro were malicious, your resident antivirus scanner may be able to catch this. Otherwise, assuming you have set Excel to allow macros to run, CIS would not stop it at all, I believe, since there is no buffer overflow involved. Note that you can configure Excel to allow only digitally signed macros to run. The shellcode could do anything Excel itself can do, including the actions you mentioned. This is a good example of the perils of using Safe Mode for both D+ and firewall, because Excel is considered a "safe" program, and "safe" programs are allowed to do a lot. If, though, your firewall policy for Excel were very granular in allowing only what's needed (or nothing at all), the sending out of info to a different IP than normal perhaps would have triggered a firewall alert. This is one of the reasons I recommend to use as specific of firewall rules as possible. As for the encryption of your documents, I do recommend putting My Documents and your other data files in My Protected Files, to prevent actions such as this.
« Last Edit: March 25, 2009, 06:02:30 PM by MrBrian »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #23 on: March 22, 2009, 03:43:12 PM »
One big problem with a software restriction policies is that Microsoft does not allow home users to use them. You have to pay a big premium for loads of features you don't need to get secpol.msc and secure your PC properly.

It's true that Microsoft doesn't include the user interface in Home editions to set software restriction policies. However, the Home operating systems will still enforce them, if you find some other way to set them in the registry. One such way is with a program called SetSAFER - see http://blogs.msdn.com/michael_howard/archive/2006/05/07/592136.aspx and http://www.instantfundas.com/2008/02/how-to-run-applications-as-non-admin-in.html.

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #24 on: March 22, 2009, 03:53:00 PM »
One thing I forgot to mention: if you're applying the 'Basic User' Software Restriction Policy to Internet Explorer on Windows XP, when you use Microsoft Update, you'll need to temporarily change Internet Explorer's Software Restriction Policy to 'Unrestricted'. Remember to change it back to 'Basic User' when Microsoft Update is finished installing updates.

P.S. I just installed ThreatFire.
« Last Edit: March 22, 2009, 03:56:30 PM by MrBrian »

Offline tcarrbrion

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 672
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #25 on: March 23, 2009, 07:15:35 AM »
It's true that Microsoft doesn't include the user interface in Home editions to set software restriction policies. However, the Home operating systems will still enforce them, if you find some other way to set them in the registry. One such way is with a program called SetSAFER - see http://blogs.msdn.com/michael_howard/archive/2006/05/07/592136.aspx and http://www.instantfundas.com/2008/02/how-to-run-applications-as-non-admin-in.html.

I want the full software restriction policy so I can restrict software for limited users. I have yet to find a 3rd party application to do this. An easy to use program to do this (not like secpol.msc) would be great for home users. Microsoft make it so hard.

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #26 on: March 23, 2009, 08:34:28 PM »
I want the full software restriction policy so I can restrict software for limited users. I have yet to find a 3rd party application to do this. An easy to use program to do this (not like secpol.msc) would be great for home users. Microsoft make it so hard.

Wouldn't setting the default SRP level to Disallowed, with the Program Files and Windows folders the only folders allowed to execute software, do this? Those running as a limited user can write only to their user profile directory. There is a discussion on this at http://www.wilderssecurity.com/showthread.php?t=200772.


Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #27 on: March 23, 2009, 08:36:47 PM »
Those of you who wish to know info about a given IP address that you see in a firewall alert may wish to try IPNetInfo (freeware).

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #28 on: March 24, 2009, 01:26:19 AM »
One big problem with a software restriction policies is that Microsoft does not allow home users to use them. You have to pay a big premium for loads of features you don't need to get secpol.msc and secure your PC properly.

An alternate to using SetSAFER (http://blogs.msdn.com/michael_howard/archive/2006/05/07/592136.aspx) for those who do not have the Group Policy Editor for editing Software Restriction Policies is to edit the registry directly, or use a .reg file. How to do this for Vista is explained at http://www.wilderssecurity.com/showthread.php?t=232857. I believe the instructions will also work for XP users without alteration. Post #1, 2, 5, 10, 12, 18, 34, 61, and 68 should be looked at, for those who don't want to read the whole thread.
« Last Edit: March 24, 2009, 03:00:21 AM by MrBrian »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: An approach for configuring Defense+ for many fewer alerts
« Reply #29 on: March 24, 2009, 03:01:21 AM »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek