That highlights well the dangers of adding extensions from unknown origins willy nilly.The HIPS will just see these as components of the browser itself (which in effect they are) and allow them the same level of permissions that the browser itself does.Whether a more ‘intelligent’ HIPS type program would differentiate between the main application and it’s extensions I’m not sure.It’s something to study though.
There is another problem involved: even if this intelligent HIPS could do it, in what form is it going to do it? If it’s an understandable name of the extension itself, then most users will know what the HIPS is warning about, but if it’s just one abstract dll, then there will be problems. Take a look at the list of Firefox components below. I made one up myself, the others are genuine. Can you spot the malicious one? The odd one out is js2350.dll, which doesn’t exist as far as I know. I can hardly imagine that the average Joe will know what to do with this; allow or deny. There are some others that look more frightening. Shall we deny them or allow them?
jar50.dll
js2350.dll
js3250.dll
nspr4.dll
myspell.dll
npnul32.dll
nss3.dll
nssckbi.dll
sll3.dll
smime3.dll
softokn3.dll
spellchk.dll
xpcom_compat.dll
xpcom_core.dll
Paul Wynant
Moscow, Russia
the idea is to have a comprehensive enough safelist so that the only time we ask the question to the user, the user will know there is something out of ordinary.
the key is the safelist!
Melih
I agree entirely,the technically savvy user will struggle to determine which items are legitimate and which are malware components,let alone an average user! If we look at something as straightforward as service.exe,we can see here it has numerous possibilities both legitimate and not. http://www.processlibrary.com/directory/files/service/
Unless we do an in depth analysis of each and every file entering the pc it can be extremely hard to know friend from foe.Software that limits system access to parent processes can offer some help.Processguard for example allows the user to set access/modification rules for each component,plus of course sandboxing denies any access to the ‘real’ system.There are limits though,which are largely dependent on the amount of configuration the user is willing to perform.
Agreed! It’ll need to be an extensive,constantly updated safelist though to be of value.
See what you mean, Melih, and I appreciate how hard you guys work to make everything as convenient as possible for the user. I just hope COMODO will be able to keep up. I remember that when Firefox 2.0 appeared, I immediately sent it to COMODO for analysis, but it is still marked as ‘UNKNOWN’ in my application list (not in the ‘safe’ database yet)…
And anyway, HIPS is something for power users only. If people are asked to answer to questions they don’t even understand, they may compromise their computer rather than protect it. The default settings for those users are more than good enough and this should be stressed with an alert if possible before they decide to activate the option.
Paul Wynant
Moscow, Russia
Indeed.
I have few ideas (:NRD)
lets see how they pan out (:WIN)
Melih
the safelist dept is not fully upto speed yet, neither the update mechanism is fully in force in each application. we are working on both. Give us about 6 months and then re-evaluate it 
Melih
I’m not complaining, Melih. Just theorizing about HIPS… (:WIN)
Paul Wynant
Moscow, Russia
No doubt that if it’s feasable you guys will accomplish it. :■■■■
Sorry to interrupt this highly enlightened (and enlightning (:CLP)) conversation, but the average joe, ME, asks in conclusion:
(:NRD)
With Comodo Firewall, and a sandbox (or CPF3), using Opera without Cookies, Java, Javascript and plugins (this being necessary?), ceteris paribus (everything else being equal), can anything get in?
Using Firefox to check mail and IE7 to update Windows?
Particularly Sandboxie and GeSWall if you need specific input.
And then whatever inside (AV, Prevx, Hawks, Dragons, SSMs, DSAs… lol)
(B)
The fact is even running 50 security apps,beside turning your P4 into a 486,you could never be 100% secure.As someone once told me 100% security can be achieved very easily,just unplug your modem and don’t install anything and you’ll be safe and sound (:TNG)
However you will be pretty safe if you do what you said,just give Melih a little more time and that 100% security will be a certainty I’m sure (:WIN)
The problem is that the conventional ‘security’ wisdom doesn’t work. If it were working, the rate of systems being compromised would be going down, wouldn’t it?
-
Here’s how Windows works: permit anything on your machine to execute if you click on it, unless its execution is denied by something like an antivirus program, anti-spyware or HIPS.
This includes very dangerous code, programs you may use once a year or so, old viruses, new unknown viruses. And nothing is asked if it’s not known as bad. This is utterly stupid.
Try your HIPS, anti-virus, and anti-spy against this:
http://www.pc-st.com/us/download.htm
It’s just a set of tests to scare you into buying their VirusKeeper; don’t fall for it. It’s just to demonstrate that NOT EVERYTHING is controlled by your HIPS. Most educative is the ‘Proof Mode’. Minimum requirement to do the tests: you should allow it to be launched by explorer.exe if your HIPS asks you to and give it access to the Internet in COMODO (It doesn’t compromize anything, don’t worry). -
Microsoft should give an example of safe-hex. But if you want to watch/use their wonderful ‘Update’ site, and go through the ultimate Windows experience, you have to use that (deeply integrated into the OS) disaster called a browser, IE, (sorry, TheTOM_SK) and enable the very mechanisms that cause all the trouble: ActiveX, java+javascripts. Where’s the logic?
-
The only really good idea in security used to be a firewall. The first models were based on DefaultDeny: unless specifically allowed – deny. But users demand ‘convenience’. So, many firewalls have undeletable default permissions nobody knows about for the ‘convenience’ of the user. Although everybody knows that Microsoft’s products have a sad history of nothing but ‘bugs’, many firewalls still pre-configure rules for IE, OE, Outlook, etc. as ‘trusted’, ‘safe’, etc. Where’s the common sense? Or maybe that’s the price you have to pay if you want to get a Microsoft license? Anyway, fact is that by allowing an application access to the Internet, you punch a hole in your firewall, a hole through which the mechanism mentioned in the first paragraph can be activated by OUTSIDERS.
In the light of the above, you will probably understand why I configured my COMODO firewall along the lines indicated in this thread:
-
Humanity has a common database of something like half a million pieces of ‘malware’. Wouldn’t it be more sensible to list only the good things and deny the rest? The lists of badness contain only what we know about. Does that mean that everything that is not in the list is automatically good? Why don’t any of the security applications work on the principle of enumerating good things? Wouldn’t that be easier, more transparent, and above all: safer?
-
The same goes for ‘bad Internet sites’. By default, we allow everything that is not known as bad. There are efforts now to enumerate bad sites. This is the same stupid prinicple of enumerating badness. In my mind, they are all untrusted, and the only module I know of that does everything right is the Firefox extension NoScript: everything is denied without nagging alert pop-ups, and you have the possibility to allow (even by third party) by a simple click on the icon in your browser.
P.S.: Any excuses from security people about how complicated it is to know what the bare minimum of good things on XP would be should be waved aside: either you’re an expert, or you’re not.
- Software and operating systems should be secure by design and should be designed with flaw-handling in mind. Software that is not secure by design should be abandoned, not patched. And what do we do? Every month we eagerly wait for something we think is an addition to our security. I’d better not tell you how often these ‘updates’ and ‘patches’ have ruined the very strict security settings on my computer! You disable services and Microsoft turns them back on. Shame on them.
Windows services should disabled wherever possible along the lines indicated here:
Comodo Forum
(reply #18)
Here’s what my Internet connection tabs look like. It’s in Russian, but you’ll understand the idea (see screenshots). Of course, doing this involves disabling file-sharing and stuff… After you ‘unbind’ (or even better: remove) the Client for Microsoft Networks and its related File and Printer Sharing from all of your TCP/IP-using adapters, you will have solved more than half of your security problems.
Paul Wynant
Moscow, Russia
[attachment deleted by admin]
And yet another one. I can’t see this type getting past COMODO or past your HIPS, but your AV/Antispy might not be ready for this scenario:
Malware with new features. Disables the Windows Firewall, does keylogging, maps the computers location, and sends everything to an FTP server where it’s sorted by location. Plus installs a whole host of additional malware. Thank you, Microsoft, for the default setting ‘hide file extensions for known file types’. The Loveletter virus is probably the best example of hidden double-extension tricks, and that was rather long ago. And the stupid default setting remains in XP and in Vista! Are they doing this on purpose or what?!
P.S.1) To ‘unhide’ ALL extensions - Microsoft’s directions:
- select Start | Settings | Control Panels | Folder Options
- select the View tab
- UNcheck “hide file extensions for known file types”
- Click OK to finish
P.S.2) But don’t let Microsoft fool you! Even after you unhide the extensions using the above steps, you still cannot see certain hidden extensions for files ending with .shs, .pif, and .lnk (a suspicious case of Microsoft’s infinite wisdom). Unfortunately these files are executable, and are rapidly becoming the most popular choices for many Trojan horses, such as “Movie.avi.pif” which will look like “Movie.avi”, and “ReadMe.TXT.SHS” which will look like “ReadMe.TXT”. Instead of being a movie and text file, respectively, they could both be dangerous Trojans. To really show ALL hidden file extensions, open regedit and type in the search field: NeverShowExt
Do a search and delete ALL objects in the right window with this value.
Paul Wynant
Moscow, Russia
How does this malware connect to the net? Directly sending the data?
I have no idea, egemen, but I guess through the usual default IE channels: The author mentions Browser Helper Objects. That would be logical; they are usually unnoticed by the firewall…
Paul Wynant
Moscow, Russia
My son got an image.pif through MSN, and it messed up his PC. It took a while to get rid of, and it did send itself to his contacts. So I told him that pif is not a valid extension, and he has stopped a few since then, and his friends as well. So it seems popular right now…
He has CPF and NOD32, but I can’t say if he had them on…
A quick and trouble free way to close the vast majority of inherent flaws within the default XP configuration is to use a utility called Samurai.It basically ‘hardens’ the system against many threats by closing many security holes,switching off unsafe services etc.