Configuring Defense+ for min alerts & good security under admin account in XP

[tcarrbrion]

Wouldn't setting the default SRP level to Disallowed, with the Program Files and Windows folders the only folders allowed to execute software, do this? Those running as a limited user can write only to their user profile directory. There is a discussion on this at http://www.wilderssecurity.com/showthread.php?t=200772.

Yes, but not available for home users. You have to spend big money on Vista Ultimate to get a secure PC this way.

[MrBrian]

Yes, but not available for home users. You have to spend big money on Vista Ultimate to get a secure PC this way.

It is available for Home users, but you have to set the policies into the registry by an alternate method - by using SetSAFER or using the method mentioned at http://www.wilderssecurity.com/showthread.php?t=232857.

[tcarrbrion]

But this is too complicated for home users. They would not know what to do if anything went wrong. I might try this but I am not a typical home user.

I When I had XP home I found 1 third party application that let you set file permissions on XP home and it was from eastern Europe if I remember right. Do Microsoft threaten to sue any company that makes useful programs like these?

I now have Vista ultimate and LUA/SRP has saved my daughter from a virus that nod32 did not recognise. I have never had an active virus an any computer.

[sirio]

Thank you sirio for the post. I looked at the images you provided. It seems that you were not actually using the special Installation Mode though, because the whole purpose of Installation Mode is the suppression of alerts for installers, yet your images show that many alerts occurred. By the way, I have tried v3.8 in a virtual machine, so I did get to see its default configuration.

I have made an error, I have told you that the configuration of CIS was that of default, it is not really this way: from the v3.5 in CIS have been add more configurations for the various demands , the active configuration after the installation is the COMODO - Internet Security (2), however with this configuration some of the options of D+ are disabled, to have D+ at the most of its potentialities needs to pass to the COMODO Proactive Security (3).

The approach I have outlined is geared more towards prevention of malware execution in the first place than detection within CIS itself of malware that has or is executing, although my approach has some detection capabilities as well. Malware that isn't allowed to execute cannot harm you. My approach also hopefully prevents the installation of rootkits by malware that has already executed, via device driver installation detection. Behavioral blockers such as ThreatFire can do an excellent job of detecting malware that is already running, and thus I recommend using one with my approach. Running NIS Filecheck, Autoruns, What's Running, and HijackThis as described in a prior post serves as a detection mechanism of malware that has already executed. On-demand antivirus scanning is another detection mechanism; I recommend Avira Antivir and Avast for free antivirus. On-demand anti-rootkit scanning is yet another detection mechanism; I recommend Panda Anti-rootkit, Rootkit Unhooker, GMER, and RootRepeal for anti-rootkit scanners.

Right, however for me it is a contradiction to limit D+ and then to have to install other softwares to cover the lacks gotten modifying the policy.

Regards,

sirio. 

[MrBrian]

The content of this post formerly appeared in a previous post. I don't recommend doing what's mentioned in the remainder of this post anymore due to usability-to-benefits ratio issues.

---------

With this approach, it is possible to prevent a given executable from launching executables, even those that have already been added to the 'All Applications' Defense+ policy. To do so, you must do 2 things: 1) move the 'All Applications' policy to the last position in the policy list (because enforcement is done from first to last position in the list), and 2) for the given executable, choose the Block option setting in 'Run an executable', and specify any applications that are allowed to be executed in its 'Allowed Applications' tab.  I've done this with all applications that might be exposed to malicious scriptable content that could possibly launch executables. One such program is Windows Media Player - see http://isc.sans.org/diary.html?storyid=4355.

[MrBrian]

I recommend to look through your list of allowed executables for the 'All Applications' policy. Any entries with wildcards should be removed in most cases, because any file that matches the wildcard will be allowed to execute without alert.

Examples of entries without wildcards (these are desirable):
C:\Program Files\QuickPar\QuickPar.exe
C\Program Files\Audacity\audacity.exe

Examples of entries with wildcards (these are not desirable):
C:\Windows*
C:\Program Files*

I do have some exceptions to this: for Program Files folders with a) many executables, which would otherwise need many items in the 'All Applications' allowed executables list, and b) are not high risk programs such as web browsers

[MrBrian]

I have made some changes. One is that dlls allowed to run in the policy for rundll32.exe should not be moved or copied to the policy 'All Applications'. The second change is that I am now protecting CIS from being tampered with. To do this, allow Defense+ monitoring for Interprocess Memory Accesses, and also Process Terminations; alerts for these two areas will never appear, but they are needed in order to protect CIS from tampering. The other changes I made are reflected in the latest version of the post on page 1 that starts with "Since the gist of this approach..."; follow all the updated instructions there.

To test that CIS is properly protected from tampering, use the program Advanced Process Termination and then try all of its methods against cfp.exe.

[MrBrian]

I tested this approach against the malware from the website alluded to at http://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/undetectable_malware-t36804.0.html;msg263282#msg263282. Fewer than 30% of the engines at VirusTotal detected it; 1 of 3 of my local antivirus scanners detected it. Upon running this malware, ThreatFire detected bad behavior and gave an alert. But would we have detected this with just CIS alone? The answer varies depending on your firewall Alert Frequency Level and Mode. One thing the malware does is send out information using explorer.exe, which is unusual behavior. If you use the firewall in Safe Mode, then since explorer.exe is a safe executable, there would be no firewall alert when explorer.exe sends out info. If you use the firewall in Custom Policy Mode, then whether you would have detected the abnormal use of explorer.exe depends on the firewall Alert Frequency Level and also the existing policy for explorer.exe. If you use any Alert Frequency Level other than 'Very High', and explorer.exe had been previously allowed to send out info, then you probably would not have detected the abnormal use of explorer.exe. On the other hand, if you use Alert Frequency Level 'Very High', you would get an alert on the attempt to send info out via explorer.exe to a different IP address than had been used before. A given IP address can be investigated by using the program IPNetInfo. By the way, it's quite feasible that explorer.exe would have been previously allowed to send info out, because Microsoft sends info out using explorer.exe as described at http://forums.comodo.com/general_security_questions_and_comments_not_product_related/security_alert_windows_live_group-t36892.0.html;prev_next=next.

[MrBrian]

I have added *.sys and also file group '3rd Party Protocol Drivers' to My Protected Files.

[MrBrian]

I have replaced ThreatFire with Prevx Edge (unlimited time trial mode) as my behavioral blocker supplement, because with ThreatFire installed, I experienced a few occasions where my computer became extremely slow. I don't know for sure if this was due to ThreatFire, but I seldomly had this issue before I installed ThreatFire. Prevx Edge in trial mode doesn't block anything (you have to pay for that), but it will alert you if malware by bad behavior has been detected. There is an exception: Prevx Edge even in trial mode will warn of known malware upon clicking an item in Windows Explorer. Prevx Edge needs an Internet connection to function properly.

[reklaw]

Yes, but not available for home users. You have to spend big money on Vista Ultimate to get a secure PC this way.

Perhaps, you can find some usefulness in this tool http://www.beyondtrust.com/products/PrivilegeManager.aspx

Then again, not free, though you can evaluate it.

[MrBrian]

After 7 weeks of using this approach, it has worked well for me so far. There are some unwanted file modification popups during installations because of the issue discussed at http://forums.comodo.com/defense_bugs/some_files_that_are_not_in_my_protected_files_are_protected-t36754.0.html. I do not typically use Installation Mode nor 'Installer or Updater' policy when installing programs.  My exported ruleset size right now is approx. 627 KB. Using my old approach, the exported ruleset size was approx 2105 KB. Thus the new approach has yielded a ruleset size approx. 30% of the size of the old approach; it should be noted though that the ruleset size will probably increase somewhat because I have not used all of the installed programs on my system in the past 7 weeks.

[MrBrian]

When you start to use a new configuration, you don't need to manually rebuild the list of allowed executables in the 'All Applications' policy. Instead, you can copy a registry key from an existing configuration that uses the approach outlined in this topic. Here's how to do it:

(Note: registry editing is potentially dangerous)

1. Exit Comodo Internet Security.
2. Find the registry key for allowed executables in the 'All Applications' policy of an existing configuration that uses the approach outlined in this topic. It will take the form HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\(appropriate configuration number)\HIPS\Policy\(appropriate policy number)\Rules\(appropriate rule number)\Allowed.
3. Find the registry key for allowed executables in the 'All Applications' policy of your new configuration. It will take the form HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\(appropriate configuration number)\HIPS\Policy\(appropriate policy number)\Rules\(appropriate rule number)\Allowed. Delete the 'Allowed' key.
4. Copy the 'Allowed' key from step 2 to the former parent key of the 'Allowed' key in step 3. You can use the free program Registrar Registry Manager to copy a registry key to a different location.
5. Start Comodo Internet Security.

[petrossa]

I have this alert problem on Windowblinds skinned W7, where each time a window opens WB hooks dwmapi.dll . So every time a window opens that has not been opened before, i have to allow the hook.
Happens many times.

Is there a way to make a target DLL free from control? How can i add a target as 'always ok to hook' for the heuristics?

[MrBrian]

I have this alert problem on Windowblinds skinned W7, where each time a window opens WB hooks dwmapi.dll . So every time a window opens that has not been opened before, i have to allow the hook.
Happens many times.

Is there a way to make a target DLL free from control? How can i add a target as 'always ok to hook' for the heuristics?

Try allowing the hook of dwmapi.dll in the Defense+ policy for 'All Applications'.