LUA + SRP

Yep if you post your full (and properly configured) SBIE config and even comment it in every of its part it would be the most interesting. :-TU

But meanwhile let me focus on some aspect you seemingly neglected:

Well LUA (which in itself provide far more guarantees than SRP IMHO) is available in every Windows edition but Applocker is available only on Windows 7 Ultimate or Enterpise whereas SRP is not available on Home editions.

Indeed SRP can be bypassed quite easily even though it was created to provide admins with a way to control what executables could run locally: There is no doubt existing bypasses proves SRP enforcement might be compromised by a SRP-aware PoC.

Execution prevention in general might grant some protection in case a remote exploit launch intermediate executables but in case of self-contained DEP-aware remote exploits SRP doesn’t apply.

Strange that approach in itself similarly archive 0% risk as well: But another example would be assuming the user won’t need any protection if they are able to execute only code that will not infect them. :-X

Again drive-by infections might not require intermediate executables and apart from being infected, all anybody could be expected to see “are” demo PoCs.

Don’t tell me it would be possible to point you to a live exploit site for an unpatched vulnerability throughout this topic (or a newpaper article that provide enough technical detail about a malicious exploit to clarify what mitigation technologies would not apply)

Even advisories that mention when a “vulnerability” is already actively exploited in the wild do not mention any details about each one of the “crafted exploits” eventually confirmed in the wild.

The only aspects usually documented are vulnerabilities and simple PoC exploits that usually prove only single vulnerabilities whereas that’s all which is needed to have vendors provide a fix which reduce the specific risk to 0% for patched apps…

On the other hand malware authors instead do not have demonstrative purposes and are not limited to single aspects (like research PoCs):

Whereas the availability of DEP demonstrative bypass is common knowledge and reliance on SRP focus only on exploits that launch intermediate executable, DEP+ SRP are not unlikely to fail provided the victim cannot control what exploit a malicious website provides to them (of course LUA and sandboxing might be fit to overcome or simply mitigate eventual breaches)

Perhaps exploiting LUA is less common but privilege escalation vulnerabilities have been documented for years. Considering Malware authors can reasonably assume DEP to be enabled on windows services by default and that such vulnerabilities could be exploited by remote, Inbound filtering would be the only way to prevent such scenario (whereas LUA + SRP + DEP might not do anything).

Local privilege escalation of system services would be specifically meant to bypass LUA and patching the vulnerability would probably be the only practical solution (whenever execution prevention could be considered a theoretical alternative).

These aspects aside there is no doubt DEP + LUA + SRP would reduce/mitigate drive-by risks.

Glad you considered a contingency plan in case this approach get you infected: There is no need to launch an executable from non-reputable source for that though.

Besides would it be there any point to knowingly run harmful executables at all? ???

Of course many dodgy sources can be easily recognized and not running such executable might be a sound baseline approach:

But as much it might appear similar nobody can assume that the user will only launch harmless executables (or for some reason choose launch harmful ones in a containing environment) by rule of thumb whereas this begs the question about recognizing reputable sources or executables (I didn’t notice any mention to any kind of whitelisting )

Of course if anybody would be able to distinguish whenever any file is malicious by simply looking at it (or its sources) sure there won’t need to be taken any risk to execute them.

Some tools or approaches can be used to get an idea about new executables whereas the user has no prior knowledge about the sources (eg a new brand or a vendor or site previously neglected) like looking at what an executable does in a controlled environment before running it unconstrained:

VM and sandbox detection make this approach less trivial though, whereas online scanning might not identify all malware (above article mention a backdoor in in a consumer grade application publicly available for years).

Of course in doubt it would be possible to keep such application always in a constrained environment (eg VM) but this IMHO makes for a cumbersome approach unfit for daily usage and even betting onto reputable-looking applications could easily appear a more attractive solution than that.

Yes every software has been bypassed and bypasses are fixed fast but as far I see to prevent remote exploits Chromium might as well be effective as LUA+ SRP+ DEP+ SBIE.

Nice read, Endymion, thanks.

You’re welcome.

It took a while to edit and the result is somewhat messy. :-[

Yes, and CIS doesn’t come with any Windows edition (although it is free haha) either. In fact, the only other security that comes by default is usually something along the lines of Windows Defender. The point is that, where available, I would take LUA/SUA (available in all versions) + DEP (available in all versions) + SRP/AppLocker any day. Perhaps the main point of this exchange is to enlighten people that their OS does have all this capability to give them excellent protection without the need of potentially conflicting and resource-hogging third party solutions. For me, LUA + SRP + DEP are the “bare bones” of my security setup. That doesn’t mean that LUA + SRP + DEP is weak protection. As you know, in real-world situations for the home user, these mechanisms alone reduce your attack surface dramatically. The fact is that adding SRP + DEP to LUA requires that the malware needs to have some sort of fancy way to bypass the default-deny execution prevention. Remember that scripting processes like cmd.exe and wscript.exe can be blocked by adding rules in your SRP. As far as I am aware, this further takes out a significant portion of malware or even POCs out there.

Yes, I think I see where you’re coming from. However, haven’t we already established that there are no known cases of real-world malware that can jump across LUA + SRP remotely/via drive-by? Heck, I’m even finding it hard to come across malware that can bypass LUA + SRP when I manually execute them on my actual system. And that’s one of the key points isn’t it. If I try ■■■■■■■ purpose to come across these types of malware and don’t succeed, what are the odds that I will come across these types of real-world malware when I am not looking for it on purpose? Common sense tells us that it is highly unlikely.

LUA + SRP aren’t magical tools or software that you need to go out of your way for. They aren’t tools that hog resources or require patches and updates because of conflicts or buggy functions. They are simply built-in functions of your OS that can be easily “turned on”. And if they are there to be turned on, why not do it?

You’ve basically re-stated (in a different way) your points again that LUA + SRP + DEP are easy to bypass, and I won’t repeat my statements and points above in reply to this. You mention that possibility of being “exploited by remote”. How possible is that for the average home user who is at least behind a NAT Router and Windows Firewall?

And yes, Microsoft do issue out patches via Windows Updates regularly - pleasingly, this is something everyone running windows has to do anyway, and so it’s not like it requires “extra work” to maintain. Another nice advantage of LUA + SRP + DEP over other third party solutions.

Exactly. And since we’re in the habit of repetition, let me repeat again that LUA + SRP + DEP are simply built-in functions of your OS. If they are already built-in to your OS, this means all you need to do is enable them. You don’t need to pay more money for them. You don’t need to worry about conflicts with your other software or buggy code that needs to be patched again and again. You don’t need to worry about your system slowing down because of them.

Of course there is no need to launch executables from only non-reputable sources to get infected. Just like there is always a chance of getting cyanide poisoning by drinking the milk from your local dairy. Or (more realistically) the chance that you get Campylobacter sepsis from eating chicken from your local supermarket. The fact is that the chances are much lower than drinking milk from a bio-chemical terrorist organisation etc etc.

You make obvious (and good) points, but to simplify, I was merely suggesting a good “security approach”. As I already said, no one can stop the user executing files willy nilly. Perhaps the main point of this
exchange is to promote others to be more cautious in what files they trust and run. It’s just like which Doctor you choose to go to to get a check-up or to get help when you are unwell - you probably wouldn’t go to a Doctor who told your friend with a headache and a petechial non-blanching rash to go home and sleep it off (and then later dies from bacterial meningitis). Right? Reputation of software is important, as well as looking at digital signatures etc. Sure, it’s not fool-proof, but it’s something to be aware of and it will definitely reduce your chances of getting infected.

In terms of security, I’d choose Linux any day over Sandboxie + LUA + SRP + DEP haha! I don’t quite understand the Chromium concept fully, but I doubt it uses the same mechanisms as Sandboxie. Remember that Sandboxie is highly configurable and its protection applies at the application level, thus arguably making it even more configurable and versatile.

No doubt denying execution might impair malware authors convenience of using intermediate executables…

…but if there was something I expected to came out clear after addressing it twice it was that there is no need for “fancy ways” to defeat the purpose of DEP + SRP whereas LUA could be regarded differently since its purpose is defeated by privilege escalation.

Now I’m at loss of words to see you continue to account only for drive-by but at least I see you omit to mention DEP.

Of course they are not magical tools:
LUA can be defeated by privilege escalation exploitable by remote and SRP can be avoided from remote and defeated locally.

My words simply provided a context to link 3rd party resources. It is not I need to state something when I can basically link at it.

Glad you acknowledged there is something more than LUA + SRP + DEP…
Now I get the impression my words conveyed the point that inbound filtering is a reasonable way to prevent privilege escalation targeting window services by remote:

Indeed updates should be considered a mandatory security step even more when they have the nice advantage reduce things like “drive-by” arguments to nothingness…

Did you mean again drive-by exploits that attempts to run executables?

Do you have any knowledge of live malware exploiting Chromium by means of drive-by?
Looks like vanilla Chromium had none of such issues as well.

I recall you suggested VM + system virtualizer in addition to SBIE earlier and I also read you asked for a malware to run into a VM) in that SBIE bypass topic though the op noted that the malware was VM aware (so it would not behave maliciously if tested in a VM)

Anyway by keeping SRP enabled I gather you don’t execute them in the first place:
Understandably a direct effect of your distrust toward those samples whereas the “protection” is achieved by your choices of what is “reputable” enough to be executed
not-clicking on the malware or keeping the computer turned off would work magic as well

Whereas I see you asserted evocative examples in other threads, I did ask you to not neglect the aspects related to recognizing reputable sources or executables to run unrestricted (of course SRP can prevent anything you didn’t allow beforehand, including bypasses)

With such an example the most I can ask you if anybody should rely on their “doctor” or supermarket judgment about software.

I don’t see anybody taking their chances on that but as far I see it could happen for an user to trade security for commodity following such a (seemingly narrative) criteria as a shortcut.

As I still notice no mention to whitelisting whereas “reputation” surely looks something difficult to magically guess by rule of thumb.

Of course YMMV and you can guess 100% “reputable” softwares over millions but I find difficult to assume anybody would be able to guess that something eg. doesn’t disable SRP when executed by taking a generical notion of “reputation” in account.

I see you omitted Applocker probably considering the price of Windows 7 ultimate or enterprise (or a 7-to-7 upgrade). But you forgot that SRP is featured only on some editions.

LOL ;D Well that is reassuring after reading about Shadow Defender + SBIE + Virtualbox + Drive Snapshot etc…

Then I guess you could be really consider to take a look at Chromium for what you could define “protection without the need of potentially conflicting and resource-hogging third party solutions”

“There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things – you can’t execute on the heap, the OS protections in Windows and the Sandbox.”

It looks difficult for the vulnerability researchers to even create a “PoC” :-X

My friend, it seems we keep repeating the same points over and over again, and now you appear to be analysing what I have written and purposefully degrade it. What are you trying to tell me? That I should stop using LUA + SRP + DEP because it is very easily bypassed? That certainly seems to be what you are heavily implying in your posts. But the question is why not to use it if it is already built-in to your OS? How many people do you know who run LUA + SRP + DEP get their computers infected? I’d bet none, but mainly because they are people who don’t run files willy nilly and have good computer experience and common sense. But I believe that a lot of people would greatly benefit from running LUA + SRP + DEP, or even just LUA. You seem to agree with me but with heavy reservations. Do you not recommend people to use LUA for example? Do you use LUA yourself?

I thought you had basically already agreed with me that enabling LUA + SRP + DEP will reduce your attack surface, particulaly against real-world malware and drive-by attacks. Or do you disagree now? You always seem to say/imply that LUA + SRP + DEP can be effective, but it’s not really that great/effective etc etc because of so and so bypasses and it’s really easy to bypass etc. All your posts are heavy with this implication.

If so, would you also disagree that running CIS will reduce your attack surface etc? I actually had malware that bypassed CIS at least a few times (but I have yet to find a piece of malware personally that can bypass LUA + SRP + DEP) - does that make me not recommend CIS to other people? Of course not. Do I degrade CIS publically and say that it is easily bypassed and imply that you shouldn’t use it? Of course not.

What security do you run yourself? That would be really helpful for others to know what you run, given you don’t seem to think much of LUA + SRP + DEP, and/or have a lot of reservation about them and how there are plenty of bypasses available. Perhaps this is what makes LUA + SRP + DEP so much more effective than other third party programs, since theoretical bypasses are much more publically documented and circulated than other bypasses of other programs. And because of this, Microsoft has a lot of access and information to patch their OS as required, and also users who use LUA + SRP + DEP can set up configurations to block these bypasses, either by tweaking their SRP, or by using other third party solutions like Sandboxie.

I’ve also been trying to emphasise that you don’t need a lot of real time third party security programs to reduce the risk of you getting infected. LUA + SRP/AppLocker + DEP are all part of your OS. But at this stage, you seem to want to emphasise that some versions of Windows don’t have SRP or AppLocker. That isn’t really the point, is it? The point is that Windows has some excellent protection built-in to its OS. And you’ve resorted to almost mocking my posts by implying that I am a hypocrite. If you look carefully at my signature and the way I use my applications, I really only have one real-time security application - Sandboxie. Everything else is on-demand. But then it appears you are seeking to degrade my posts just for the heck of it. You can argue anything in life of course.

And then you also appear to mock my “careful which software you run on your REAL system” comments. Why do you seek to do this? I am trying to help the public here, and yet in my opinion, you are trying to confuse them. Being careful which software you choose to trust and run on your REAL system is very important. For example, running cracked software or running cracks in general would be putting your system at risk of infection, but running an update with Microsoft Windows updates would probably not be so risky. You don’t seem to want to acknowledge this concept, and instead seek to confuse the issue by saying that users won’t need any protection anyway if they knew 100% for sure that whatever they’re running is clean.

Sure, Chromium sounds like a good concept, but as far as I know (I’m sure you’ll correct me if I’m wrong haha), it only has a browser publically available at this stage. However, I would rather have the choice to run any browser sandboxed (and well configured) with Sandboxie and have the option to empty the contents out cleanly and safely in the event of an infection. In fact, if you’re running a Chromium browser, you can get even more protection by sandboxing it with Sandboxie also.

Oh and finally, if it can’t execute, it can’t infect. Simple as that. I personally think that the most effective means of protection is to prevent initial execution. That’s why I like SRP/AppLocker so much. If you allow initial execution, there are many ways to bypass even classical HIPS software like Malware Defender and CIS. And yes, I have actually had real examples of malware or POCs on my system that can bypass programs like Malware Defender or CIS. I have had none which can bypas LUA + SRP + DEP, which is a bit of a shame, because I would like to see them at work haha. One way of seeing it is that if they don’t execute in Sandboxie or a Virtual Machine (because they are “VM-aware”), then these programs have already defeated the malware. Remember, if it can’t execute, it can’t infect. Of course, the whole point of malware being “VM-aware” is to make it difficult for people to analyse them or for the home user to be tricked into thinking it is safe to use on their REAL system. But that does not mean the virtual machine program has been bypassed.

Anyway, my points remain the same:

1. Windows has excellent built-in tools to give you ample protection and peace of mind.
2. Don’t run as admin!
3. Be careful what software you run on your REAL system.
4. You don’t need many third party applications running in real-time to have excellent protection.
5. I’ll think of more sooner or later haha

You didn’t reply whereas I asked just bebore: Do you know any drive-by that can bypass a vanilla chromium? Because if you ask me about what security I run I can surely mention that Chromium is part of it.

While you passed it as builtin feature “You don’t need to pay more money for”, SRP (and Applocker for Win 7) is not available on every windows editions:
Simply mentioning LUA + SRP + DEP, for example won’t get anybody XP home transform into XP professional.

And surely it was unexpected to see you to argue about “protection without the need of potentially conflicting and resource-hogging third party solutions” whereas you described a very complex and heterogeneous assembly of 3rd party applications.

I didn’t think that acknowledging that would be “almost mocking” (what it that single LOL?) whereas as far I see your are the only one branding yourself as “hypocrite” (or perhaps implying someone else did)

While in agreement about reduction of attack surface I made a distinction between LUA SRP and DEP accounting for their weaknesses (BTW didn’t you say they were not magical tools?)

I did say once but I can surely briefly repeat that IMHO LUA in itself provide far more guarantees than SRP:
SRP (if available) can be disabled locally and despite being crucial for remote exploits (you seemingly limited to drive-by execution) nobody can’t just conveniently assume that all remote exploits will use intermediate executables.

Besides just adding DEP to SRP in a cursory mention of protection doesn’t account for evidence that DEP can be disabled by malicious vectors and there are papers and source code available to anybody.

Perhaps it might appear you a sound point to just stick SEP+LUA+DEP together and say they cannot be bypassed while manually running malware but neglect to point out whenever you use SRP to preserve the system integrity or “bypass” SRP yourself by choosing what to execute:

That’s why I repeatedly asked you to clarify how you distinguish between “reputable” and “non reputable” software whereas your “choices” appeared more crucial in such case than SRP itself.

Does whitelisting looks so much confusing rather than your example about milk, doctors and supermarkets?

That strike me as unexpected considering you seemingly promoted an approach that rely on execution prevention based on purely selfmade reputation guesses. ???

Let me repeat again: Of course many dodgy sources can be easily recognized and not running such executable might be a sound baseline approach

But as much it might appear similar nobody can assume that the user will only launch harmless executables (or for some reason choose launch harmful ones in a containing environment) by rule of thumb whereas this begs the question about recognizing reputable sources or executables

Well… Considering LUA and DEP are provided on any Windows edition (xp upward) and that as much of D+ can be disabled/configured just to behave like SRP when I read you had CIS bypassed I assumed you failed to comply with the same approach you are suggesting everybody else to follow.

Simple as that but surely unexpected coming from you. ???

As you know another way of seeing it is that there is no need to force yourself to run them permanently in a VM or SBIE only to for the sake of such point.

Thanks for the reply.

I think you might be getting confused about how I have suggested using SRP. You seem to think that it is related to choosing which files are safe to run. I don’t see how it is really related to my point of using SRP. I mainly use SRP as an anti-executable (whether it be to prevent drive-by executions in a web browser, or to prevent payload execution after opening a seemingly harmless word, excel or PDF file etc) - if it can’t execute, it can’t infect.

Essentially, I have set up my SRP like this:
How to make a disallowed-by-default Software Restriction Policy (you can read about the extra benefits of using SRP on top of LUA in that article)
I have also added a few default deny rules to block files like cmd.exe and wscript.exe etc. In my opinion, a Limited User (or perhaps the average user) should not have access to programs like cmd.exe. I certainly don’t use cmd.exe and can have a happy computer experience without using it.

Yes, as I already said, Chromium sounds good, and no I don’t know of any bypasses for it, but then I don’t know much about Chromium. Also considering that the web browser is the cause of a lot of system infections, running a Chromium web browser sounds sensible. However, you might still need to consider your other threat-gates like CD/DVD and USB drives.

XP home can be enabled to use SRP, but I guess that is besides the point. I do understand that Home versions of the Windows OS do not have SRP/AppLocker, but they still have LUA/SUA and DEP. However, a lot of people are running Professional or Ultimate etc versions too, and my posts have been directed at them also. I’m sure a lot of people who bought Windows XP Professional had not even heard about SRP etc. Well, hopefully after reading my posts, they are now aware about these built-in tools that came with the OS they already paid for.

I did mention a lot of other 3rd party software, but they are all optional really, and none of them are required to run real-time, except for Sandboxie. As you know, running more than one real-time application can cause conflict and hog resources. My setup only really runs one third party security application. All the others are on-demand, and do not take up system resources all the time etc.

LUA + SRP + DEP are not magical tools in the sense that you don’t need to go out of your way to use them - they are already built into your OS. That’s what I meant when I said “magical tools” haha (sorry for the confusion). I’m aware that a lot of people have never even heard of LUA, SRP, DEP etc. Hence why I am trying to educate them - these tools don’t require any downloading, specific updating or maintenance etc. They are basically set and forget.

Again, there is vulnerability in all software, and all require patching from time to time. Microsoft is no exception. The fact is that LUA + SRP + DEP are a great combination (How to make a disallowed-by-default Software Restriction Policy) and adds ample protection to LUA alone. Furthermore, I repeat, they are already built-in to a lot of Windows OS’s, and simply need to be enabled.

And why do you suddenly accuse me of not using CIS properly? I never said CIS could not be configured to block the bypasses (although with some bypasses, no configuration could stop it…until Comodo released a patch some weeks later). CIS (like any classical HIPS) in the right hands is very powerful software for sure. Simple as that.

Of course no one can assume the user will run only harmless executables. But you can try to educate people to be more cautious at what they are running on their REAL systems. This was the point I was trying to make, but you seem to be confusing a very simple issue. Anyway, perhaps we can try to promote people to use VM’s to “play with dodgy software” they probably won’t use again, rather than risk using it on their REAL systems etc. Of course, some people will never listen etc. In this case, software like DefenseWall might be more useful for them. But again, nothing can stop someone from running software as “trusted”.

And why would you run software in a VM or Sandboxie just for the sake of it? I run new software and software from dodgy sites all the time like this, but not just “for the sake of it”. I run them because I am curious about them and it is a good way to test software without potentially corrupting my REAL system’s registry etc, as well as not risking potential malware infestation. I personally try to run as few third party applications on my system as possible (but that’s not to say I don’t have a lot haha).

I did not “accuse” you nor the less about mis-configuring, nor thought about asking you the specific bugreports:
I assume you did not “comply” with the same approach you are suggesting everybody else to follow whereas D+ is able reproduce SRP execution prevention and it is compatible with DEP and LUA. Simple as that.

Indeed I think I acknowledged your use SRP anti-executable to “preserve” the system integrity.

Obviously if you wish to launch a new “reputable” executables you place it in specific folders (allowed by SRP) or run it using SuRun: It goes without saying that focusing only on the part where you take “no action” while SRP active is not enough to describe your overall approach.

I repeatedly asked you to clarify how you distinguish between “reputable” and “non reputable” software whereas IMO such choices are also part of “if it can’t execute, it can’t infect” just like (or perhaps even more than) SRP itself.

Considering that not many would knowingly run harmful executables on their REAL system I guess your educational point could have been better conveyed by finally clarifying how you actually selected “reputable” executables…

Though you mentioned they could be considered defeated if “VM aware” (such point)…

…I wondered if that would have been enough of a reason (sake of) to eventually keep such software in the VM/SBIE indefinitely considering you mentioned no way to confirm them to not be “VM aware” (nor reputable).

I did mention FIX: Update to the AutoPlay functionality in Windows months ago. It doesn’t address CD/DVD but pressing the shift key prevent autorun of dodgy CD/DVD.

SRP was not bypassed with these POCs, while CIS was, even if it was configured to default deny initial execution. In fact, one of the testers was unable to block these POCs no matter how CIS was configured:
https://forums.comodo.com/leak-testingattacksvulnerability-research/some-tests-t38189.0.html

But yes, I agree that D+ is a very powerful tool, just like any Classical HIPS, particularly when configured well. However, I’m suggesting that you might as well use SRP (where available) if you are only seeking a program with anti-execution abilities, rather than resort to a real-time third party solution that may introduce conflicts and hog resources. Furthermore, isn’t it interesting that SRP (a tool that hasn’t really been updated for several years) was able to block those POCs, and yet CIS (also Malware Defender, DefenseWall, GeSWall, Online Armor) was unable to do so until a patch was released for it.

That’s one way to do it, but not my way (on Windows XP). If I want to install new “reputable” executables, I would log into my administrator account to do so. In this way, it guarantees that the application retains the correct file/folder rights/prohibitions in an LUA. I think Microsoft may have tidied things up with Vista and 7 though (with the more reliable built-in “Run as administrator”).

There isn’t really a scientific way (eg. randomised controlled trials and other prospective methods of providing evidence of a trend or cause-and-effect pattern) to distinguish between “reputable” and “non-reputable” files. As you’ll probably agree, it’s more to do with computer experience and common sense. I’d already given some examples to illustrate what would be “risky” and “not so risky” behaviour:
“Risky” = Installing cracked software or software downloaded from dodgy web-sites etc
“Not so risky” = Installing Windows updates or genuine software bought from your local computer store, or downloaded from the site of the relevant vendor etc.

As I’d already explained, I think a lot of people (especially people like us haha) run software etc for the sake of testing it out of curiosity etc. We may even like to test software obtained from dodgy web-sites - in this case, why risk running it on your REAL system? Just run it in your VM and then get rid of it when you finally get bored of it haha. And yes, in this context, the potential malware would be “defeated”, as it didn’t even bother trying to run.

I assumed you did not “comply” with the same approach you are suggesting everybody else to follow whereas D+ is able reproduce SRP execution prevention and it is compatible with DEP and LUA.

It was obviously possible to prevent execution (see below)

So I assume you chose to not use D+ to prevent execution but you did so only for SRP (therefore my assumption was correct)

Of course many dodgy sources can be easily recognized and not running such executable might be a sound baseline approach but you’ll find that aside windows updates and off-shelves software it require some prior knowlegde to identify a trusted source:

You would easily acknowledge then that nobody has prior experience about computer nor related commonsense and thus individual assessments results will vary greatly among eventual adopters.

Whereas whitelisting does grant a baseline but relevant prior knowledge (whenever an user could choose to extend upon with varying results) I did not expect an approach exclusively relying on individual guesses like the one you described.

Yes, I am well aware D+ is able to genearlly deny initial execution just fine (that is, you can configure D+ to act as an anti-executable) and that it is compatible with LUA + DEP. How do I know this? Well, I ran that exact setup on my REAL system for several months! Then I got tired of “house-keeping” D+, and realised I was only using it as an anti-executable. And that’s when I switched on SRP instead (before this, I’d never even heard about SRP, nor did I realise my OS had it already built-in).

No, I always used D+ to deny initial execution and considered it a pass if it could do this (that is, deny explorer.exe calling the malware). Unlike other people, I consider successful blocking of initial execution as a pass. D+ (version 3.8 I think) did NOT block stop2.exe (and maybe some others that terminiated explorer.exe) on Windows XP, 32-bit. From memory, it did produce a pop-up, but even if you clicked deny, the POC would be successful at freezing your mouse and terminating explorer.exe. I tested this on my REAL system on Windows XP, 32-bit. Egeman confirmed this, and released version 3.9 to resolve the issue (https://forums.comodo.com/leak-testingattacksvulnerability-research/some-tests-t38189.0.html;msg276270#msg276270):

In fact, all vendors (including Online Armor, Malware Defender, DefenseWall) released patches for this POC within a few weeks.

I then tested the POC with a default SRP and it successfully blocked all of them, preventing them from freezing the mouse and terminating explorer.exe. In this case, SRP succeeded where many third party solutions failed (and their respective vendors considered it important enough to patch).

I don’t quite understand why you’re making something so simple so complicated. Of course, the “noob” user will have less “computer common sense and experience” than you or I. And sure, white-listing sounds like a good approach - I never said it wasn’t. Here are some points to consider:

1. “Noob user” comes across this thread
2. “Noob user” reads this thread and re-thinks his/her “security approach” and is enlightened to some extent
3. “Noob user” realises that running random software on their REAL systems can be dangerous
4. “Noob user” changes his “security approach” and tries to only run software from well known companies/vendors etc. For other, obviously dodgy files, “noob user” learns to use a VM (in his/her dreams haha…the “noob user” will no longer be a “noob user” if he/she reaches this stage) and plays with these dodgy files in it, thus preventing infection on his/her REAL system.
5. “Noob user” seeks help and asks for information on forums like Comodo before running random software on his/her REAL system.
6. “Noob user” scans random files with Hitman Pro, MBAM, Avira etc, and uploads them to Virustotal before running them on his/her REAL system.
7. Etc. etc.

I hope the point I was trying to make is now a bit more clear.

By the way, with regards to the POCs in that thread, it appears rather confusing reading through it (and reading through another forum talking about it).

Based on my testings from memory (and I remember it well, because I was surprised that D+ didn’t even throw up a pop-up for stop2.exe - I didn’t quite believe it the first time, and clean re-installed CIS 3.8, set it to proactive configuration…but got the same result). Essentially, D+ wasn’t even throwing up a pop-up about initial execution for stop2.exe (but it did for the other ones). I got at least 2 other people to reproduce this (“demoneye” and “arran” from Wilders confirmed this). Here’s arran’s post:

Then in the original Comodo thread, OmeletGuy seems to repeat again and again that stop2.exe completely bypasses Comodo 3.8. Although I must admit it is difficult to understand what exactly he means at times - whether CIS is bypassed despite denying the action of explorer.exe, or whether CIS is bypassed AFTER allowing the action of explorer.exe. In the latter stages of the thread, egeman suggests that CIS blocks the action of explorer.exe just fine. metalforlife then suddenly confirms this (after stating that CIS does not block htaab.exe!!!..very confusing) and states that he must have tested the POCs wrongly after all.

For example:
https://forums.comodo.com/leak-testingattacksvulnerability-research/some-tests-t38189.0.html;msg276525#msg276525:

https://forums.comodo.com/leak-testingattacksvulnerability-research/some-tests-t38189.0.html;msg278495#msg278495

https://forums.comodo.com/leak-testingattacksvulnerability-research/some-tests-t38189.0.html;msg278540#msg278540

Anyway, you might be right that D+ could be configured to deny the initial execution of those POCs, including stop2.exe. Thinking about it now, it just doesn’t make sense that stop2.exe was the only executable out of those 5 that could bypass CIS’s initial execution alert. I mean, what is so special about stop2.exe compared to htaac.exe that allows it to jump past CIS’s explorer.exe calling mechanism? But the strange thing is that I am very sure this is exactly what happened, and I can get “arran” and “demoneye” to confirm this. I also recall that once I upgraded to CIS 3.9 (which included fixes to block the POCs), stop2.exe was easily blocked at the initial execution phase:

Anyway, all very confusing. Perhaps myself, demoneye and arran (and metalforlife) all had a common mis-configuration in CIS? I’m fairly certain we all ensured that CIS was setup to detect initial execution, and to subsequently block it. Perhaps it was only a problem on Windows XP, 32-bit? Or perhaps CIS was conflicting with one of our other real-time security applications (I think I was using Avira AntiVir and Sandboxie in real-time during those days)? Anyway, I’ll leave it at that for now.

EDIT: The following screenshot and links were actually dated around the release of 3.9 RC2 (and thus probably meant for that version) whereas it looks like 3.8 was indeed unable to prevent execution of one the samples (see ssj100’s post above)

That’s why I posted a quote of a member that confirmed execution blocking after initially saying it didn’t, whereas inbetween there was Egemen post that pointed out that execution blocking was working (with screenshot, see below)

The bypass (you linked) egemen confirmed and most were focusing they attention pertained events carried after the user “willingly allowed” execution.

What I can possibly add when the lead developer itself confirmed execution prevention to work with a screenshoot of an alert with the highest severity rating out of D+ malware heuristic detection?

I think that D+ is able to support the approach you described throughout this topic whereas it is compatible with LUA + DEP and execution prevention is one of D+ baseline functions:

That’s why assumed you did not comply with such approach even before you specifically focused on bypasses which you would have prevented in the first place by blocking execution.

EDIT: The previous screenshot and links were actually dated around the release of 3.9 RC2 (and thus probably meant for that version) whereas it looks like 3.8 was indeed unable to prevent execution of one the samples (see ssj100’s post above)

Thanks for the clarification.

Aside eventual pitfalls I mentioned already Multiple AV scanning and controlled environment (eg VM) might help.
For the complicated part (I found difficult to take for granted without whitelisting): Asking around about unrecognized applications would help as well and somewhat address the case user does not have prior knowledge of reputation of a vendor (which might be “well know” to some other user).

Thanks, please read the above post about other people re-producing the bypass like I did…as I said, it’s very confusing and I can’t work out why it occurred (I remember testing it repeatedly, even configuring CIS to be in Paranoid Mode etc, but kept getting the same result). Could it be something to do with Comodo’s safe-list or white-list database (https://forums.comodo.com/news-announcements-feedback-cis/comodos-whitelist-database-t44245.0.html) ? But how could stop2.exe be in Comodo’s safe-list?

And yes, I am well aware D+ is able to generally deny initial execution just fine (that is, you can configure D+ to act as an anti-executable) and that it is compatible with LUA + DEP. How do I know this? Well, I ran that exact setup on my REAL system for several months! Then I got tired of “house-keeping” D+, and realised I was only using it as an anti-executable. And that’s when I switched on SRP instead (before this, I’d never even heard about SRP, nor did I realise my OS had it already built-in).

As you tested that also in Paranoid mode (which disable automatic allow whereas files are safelisted) with the same result IMHO safelisting was out of question.

FIXED! CIS blocks some application from being executed

My apologies :-[ Looks like [b]I was wrong all along[/b] and (other bypasses aside) 3.8 failed to block execution of stop2.exe (Though [url=https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-3995478509-released-t39202.0.html;msg284178#msg284178]3.9 release notes[/url] seemingly mention about the opposite issue ??? )

It is an old bypass but nonethless disappointing.

I’ve been interested on this subject lately, specifically on SRP.

Question:
I have CIS 3.14 set up so that Defense+ is Clean PC mode and every new executable added to my PC cannot execute (Parental Control + supressed alerts). It’s been perfect for me for several months. I temporarily disable Parental Control whenever I need to clean uninstall and reinstall my existing or new programs. Can I achieve a similar level of security and ease of toggling on/off with my Administrator account and SRP?

Yes, you can pretty much just as easily do it - just place a short-cut to “Local Security Policy” somewhere on your desktop or QuickLaunch for easy access to disable/enable SRP. But I’d recommend LUA + SRP (+ SuRun). I also tried running Admin + SRP for a short while, but it doesn’t provide the synergistic protection that LUA + SRP offers (see the first picture in this link: How to make a disallowed-by-default Software Restriction Policy).

It’s obvious that LUA > Admin account in security, but I have my reasons like I don’t want to lose any customized settings, tweaks etc after I mastercrafted this account ;). If and when I do upgrade to something like Windows 7, I’ll go for it, but not now. After all, I’ve been using Admin accounts since I knew computers

I’ve read that guide before and I like the minimal # of steps :-TU, but I how do I mimic a similar setup like my current CIS, to define it in such a way that all files on my existing PC are exempt from the restrictions (i.e. whitelist them)? I guess this part is what makes Defense+'s Clean PC mode so convenient due to its automatic rule creations; created as normal operations are performed and various permissions needed.

You might simply like to try it out. I have basically set SRP and forgot about it. It’s literally set and forget, and it’s very likely you won’t have to add any more rules to it. The key thing to realise is that all programs can execute from C:\Windows and C:\Program Files. It’s very simple stuff, and the protection benefits are huge when combined with LUA.

However, I do understand why you like CIS a lot - I did too, and still recognise that it is powerful and fairly easy software to use. However, I personally don’t require a classical HIPS, since I would only use it as an anti-executable. Furthermore, when re-installing programs etc, the classical HIPS will always ask more questions and give pop-ups etc - that’s another reason why I turned to SRP. Also, I like to keep real-time third party programs to a minimum.