Configuring Defense+ for min alerts & good security under admin account in XP

[petrossa]

tnx for pointing me in the right direction. I made new predefined security policy called: Unprotected.
Gave it all access and no protection. Gave the dll this policy. Sofar no hook warnings.

[aditya_dmj]

In my opinion D+ is heavily loading the system . it is also adding the numerous keys under HKLM\System\....
everyone agrees that system hive is very critical for booting & its size should not be increased.

there are two solution move Hips or Firewall settings to disk as registry keys are  files on disk too.

second solution is to reduce the numbers of checks in D+ they should be limited only to Protected registry keys, Com and Interprocess memory access.

As by blocking Interprocess memory acess we can block program like google updater which does not connect directly to internet to download instead piggyride on svchost to download files.

Regards

Adi

[rossetti02121967]

We can divide how malware runs into 2 categories: an executable we intended to run but didn't realize was malicious, and unintended malware execution.

Case 1 - executable we intended to run but didn't realize was malicious: We can lessen the chance of this happening by getting software from only trustworthy sources. Also, use antivirus software. I scan all downloads with 3 antivirus products before I run them. Another possibility is to use a browser with a good malware reputation system, so that you are warned about malicious downloads by the browser itself. According to a recent study, Internet Explorer 8 has by far the best malware reputation system - see http://www.wilderssecurity.com/showthread.php?p=1428720.

Case 2 - malware we didn't intend to run: This can happen in multiple ways:
a) Attack on a network service with a vulnerability - either mitigated or entirely prevented by using a hardware firewall (e.g. a router) and/or a software firewall.
b) Automatic execution from insertion of infected USB sticks or removable media via autorun technologies - can be entirely prevented by turning off autorun for all drives - see http://www.windowssecrets.com/2009/03/05/02-AutoRun-patch-a-long-time-coming-for-XP-users and http://windowssecrets.com/2009/03/12/02-Microsoft-flubs-a-way-to-disable-AutoRun-in-XP.
c) Malware shellcode execution upon buffer overflow when exposed to malicious content - most cases hopefully prevented by CIS setting for 'Detect shellcode injection'. Example: viewing a rigged PDF in a vulnerable version of Adobe Reader
d) Malware execution by using a given program's programmability features when exposed to malicious content - mitigation strategies vary for each program; in Microsoft Office, for example, macros can be disallowed or selectively allowed. An example of how malicious code can run from a Microsoft Office macro is found at http://blog.didierstevens.com/2008/10/23/excel-exercises-in-style/.

Let's examine how case c is handled by my CIS approach. Other security measures outside of CIS, such as antivirus or Data Execution Prevention, may or may not prevent the malware from executing. Let's suppose these other security measures would not prevent the malware from executing. In case c, hopefully CIS Shellcode Injection technology, if you enabled it, would prevent the malware's shellcode from executing. If not, the malware shellcode may have been able to execute. The malware shellcode, in my understanding, almost always then downloads and runs an executable that carries out whatever the bad guys want to occur. The first action, the downloading of the executable by the shellcode running inside the attacked program, could possibly result in a CIS firewall alert, depending on your Firewall Security Level and the existing firewall policy for the attacked program. This is the one of the reasons I recommended in an earlier post to use as specific as possible of a firewall policy instead of a more general firewall policy. If this fails, then the malware shellcode will attempt to run the downloaded executable. If the downloaded executable did not overwrite an existing previously allowed executable, then you should get a D+ file execution alert. If the downloaded executable overwrites an existing previously allowed executable, then my CIS approach will not prevent the malware execution; however, the next time you run NIS Filecheck or FingerPrint, you should be able to detect what happened, and revert to an earlier system backup.

Keeping your software up to date is important in minimizing the risks for unintended malware execution by exposure to malicious content. Secunia PSI is highly recommended for keeping 3rd party programs up to date.