I’m checking out d+ configuration and looking around
I discovered that in safe mode, “safe executable” are let to run.
The main goal of an app like d+ is to defend the system also
from unknown threats, so I wonder why “safe executable” are
let to run. They can be exploited too !
Suppose one of these “safe executable” are let to install
a driver … then some evil input exploits it and install
a evil rootkit driver. Am I missing something?
I can’t understand why “trusted application” policy
let practically everything.
I know that running d+ in paranoid mode you can
check every action through your own policy, but
then you have a lot of work to do in order to get
a working system.
Why there are not some “best practices” policies
around?
For example … browser, media player, office apps,
compressing tools, mail reader, instant messengers,
are the most exposed software out there.
You can download chrome and trust it but what
if some malicious web site exploits it with a 0-day
vulnerability?
I think it would be a great idea to develop some
good policies for the most exposed apps.
Do I understand correctly you run D+ with sandbox disabled?
CIS does protect executables in various ways. Please read Monitor settings. On top on that CIS also has buffer overflow protection to help catch zero day vulnerabilities.
In short. CIS has a very tough protection even for trusted applications.
Right, I don’t use sandbox. Lately I use to run tomoyo and selinux
so I am trying to replicating the same approach under windows
with defense+ (at least partially).
In particular, we should discuss about buffer overflow protection.
Do It protect just the stack or it has a more comprehensive approach?
Buffer overflows don’t comprehend all the vulns out there.
Suppose a bad guy knows about a 0-day in some “safe app”
… and the “buffer overflow protection” doesn’t detect
this kind of vector … is he able to install a driver for example?
What I mean is … “safe app” are all the same? Or there is
various classes of “safe apps”?
I think a browser has to be treated in a different way from
a system app … one should always suppose that a browser
or anything taking an input from internet (even a downloaded file)
is potendially dangerous.
But maybe I missing something.
In any case, what would be a good policy
for a app taking input from internet (browser, media player, ecc)?
Under access rights one can choose to block/allow/ask …
I tried to create my policy but from time to time I get
problems due to an excess of boundaries: for example
drag’n’drop can’t work … so cut and past … ecc.
The question is if one of you should design your customized policy for
your browser and forget any other approach (so don’t count on sandbox/buffer overflow protection/ecc)
how would you proceed?
I cannot comment on this any further as I am not a developer.
Suppose a bad guy knows about a 0-day in some "safe app"
... and the "buffer overflow protection" doesn't detect
this kind of vector ..... is he able to install a driver for example?
Safe applications are allowed to install a driver. So if it would get bypassed I would think the compromised safe application would then install the rogue driver.
What I mean is ... "safe app" are all the same? Or there is
various classes of "safe apps"?
There is only one class of safe applications.
I think a browser has to be treated in a different way from
a system app .... one should always suppose that a browser
or anything taking an input from internet (even a downloaded file)
is potendially dangerous.
But maybe I missing something.
Are you referring to rules for HIPS or the network firewall?
In any case, what would be a good policy
for a app taking input from internet (browser, media player, ecc)?
Under access rights one can choose to block/allow/ask ...
I tried to create my policy but from time to time I get
problems due to an excess of boundaries: for example
drag'n'drop can't work ... so cut and past ... ecc.
Experimenting with the various parameter can impact usability as you noticed.
The question is if one of you should design your customized policy for
your browser and forget any other approach (so don't count on sandbox/buffer overflow protection/ecc)
how would you proceed?
I run Opera browser and let CIS use the default D+ rule. It has not failed me.
Safe applications are allowed to install a driver. So if it would get bypassed I would think the compromised safe application would then install the rogue driver.
There is only one class of safe applications.
Here we go. That’s what I don’t like about “safe applications”.
In my opinion it would be much better to create at least two classes:
you can’t considere safe a browser or any application taking input
from internet … even files or videos, so it would be reasonable
to give them a class … safe but much more limited.
That’s the reason why I am trying to create a good policy for
most exposed apps.
You can trust Google as company, but their browser can be exploited
and you are toasted if it is considered a “safe apps” (of course you have
to bypass buffer overflow protection).
Are you referring to rules for HIPS or the network firewall?
HIPS.
Experimenting with the various parameter can impact usability as you noticed.
I run Opera browser and let CIS use the default D+ rule. It has not failed me.
What I am doing right now is to create a predefined policy
with reasonable limitation and some ask here and there.
Of course I need to use the “paranoid mode”.
You would also be warned about another program trying to modify your browser/trusted program in memory. You would see it, before it happened, its up to the user not to trust unknown programs from modifying trusted programs. No protection system is fool proof.
Ok, maybe I figure it out.
I put D+ in paranoide mode, delete all the policies (with exclusion of
Windows Sys, Updater, Comodo), delete all trusted files.
In D+ settings > General I unchecked everything.
Then I created a predefined policy “learning mode” where every option is set
as “ask” and use it for “All Application”.
At this point, I started my browser and did everything I need from
it included watching videos, pdf, saving files, etc. I got the obvious popup
and I specified what I want.
Finally I checked the firefox policy under
“security policy” and put everything as
“block” (with the exceptions of keyboard and dns access). Of course, what I set to be ok before
is an exception and remain so even after switching from
ask to block.
Everything now runs fine and the browser do
only what I want.
I hope any of you can review what I said.
It’s not a good approach for the average user,
I am aware of that, but I think it’s the way to go
if you want to control completely your apps.