Trying something different

I have decided to test something radically different in my security setup. Tell me what you think of this scenerio.

DeepFreeze
Anti Executable-on high settings and copy protection selected
Windows Firewall
Sandboxie-using a ramdisk
Firefox w/NoScript locked down with max settings

No AV
No HIPS
No Antispyware

I shut the system down every night so all changes are put back to the original image when I reboot. I would normally use CFP 3 here as my firewall/HIPS, just to help let me know if something is on the pc or not, but I am trying to simulate a very basic setup that any user could set up and then they would be set to go.

The image was a new reimage before I put on DF and AE. If I want to buy something online I reboot first then reboot again when I am done to make sure nothing can get my card number.

I just decided that I’m tired of this don’t stop this and that don’t stop that so I decided to go way out there and see what happens. We’ll see if I can keep it running or not.

I will after this basic test put CFP 3 back on as I like it.

I welcome your thoughts.

jasper

getting rid of all session info when you reboot is a good idea for a niche market imo. Like internet cafes, schools etc. Sometimes, if you feel like just browsing etc… then why not use it… however for the majority, the difference between what they should keep and what they should discard is not easily discriminated and thats where the problem starts. However, the technology has a use in niche markets and even some home users who just wants to browse for that session.

I would agree with you. This setup is not for anyone who needs to modify programs a lot as I have found out that you need to reboot more than once on some updates to programs for DeepFreeze to catch all of the changes. What I am trying to see is how safe are the virtual programs. Will they stop it all and let me reboot to fix it or will they be compromised. Also I want a system that all I have to do is turn on my pc and go surf without caring what I do on the Internet. I realize this set up might seem way out there but then again maybe not.

There are obviously going to be other ways to configure this with different programs such as Returnil or SafeSpace as a replacement for DeepFreeze, and I will probably try that to see how they perform but with this setup the pc is for doing nothing but checking email online, surfing the net, and doing IM.

I figure this post should bring about some interesting opinions, including the ones who think I’m crazy. :o

By the way, I normally use CFP3(I will put CFP back on as it runs well with this config),Avast 4.8 PRO, SAS, and CMF with my browsers and IM running with sandboxie and have not had one problem from infections. I just think that if we can’t keep up with the huge number of viruses and malware then maybe we should look in a different direction to see if maybe we can do something else that works better yet gives you the same protection and can be set and forget yet flexible(that isn’t asking for much is it?)

I am expecting to see some very good discussion on this from this forum.

jasper

Well in this case you will like what we will be launching soon

Seems like it’s a good setup, and it should be pretty easy both to configure and use. Only way to bypass your protection is to run DeepUnfreezer.
It should be pretty interesting to test, but I prefer CFP 3, CMF and Sandboxie (and of course Firefox with NoScript). If you know what you’re doing, you’ll be fine with what I’m using.

Cheers,
Ragwing

Me too like sandboxies in some way. But i guess virtualization software cannot protect you from keylogger or another trojan that will install itself to system (no matter that for 1 session only; no interrupts as no HIPS present), steal your personal information, pass it to its master. Yes, it will disappear on reboot… But valuable info has been already sent.

One way to deal with such threats without HIPS is to thoroughly configure sandboxie to read-protect some data. This is not easy solution. Hardest thing is to foresee all possible variant trojans may use to steal data.

As for me, i think it’s better (and more convinient) to control system with HIPS rather than eliminating any change upon reboot.

I do agree sandbox is useful, but it cannot be campared to HIPS imo. If i’m wrong, and there are some easy ways to prevent data leakage without HIPS, let me know please.

good point goodbrazer…

you have to make sure you don’t do anything important during that session, otherwise you could be comprimised!

Melih

Well, if jasper2408 would add a third-part firewall (like CFP 3), he wouldn’t have any problems with that. The keylogger will be installed, but CFP 3 will prevent the important information from leaving the computer.

I normally use about the same basic security setup as you and like yourself I have never been compromised. My thought was to try and simplify the setup for myself. I will have to download DeepUnFreeze to see if it still works or not. I think I read where they have beefed up the password security but will have to test that.

Me too like sandboxies in some way. But i guess virtualization software cannot protect you from keylogger or another trojan that will install itself to system (no matter that for 1 session only; no interrupts as no HIPS present), steal your personal information, pass it to its master. Yes, it will disappear on reboot... But valuable info has been already sent.

According to the documentation for AE, it is supposed to stop any type of executable from running that wasn’t there when AE was installed. Seems that this should stop keyloggers and trojans but I can’t vouch for that yet.

Well, if jasper2408 would add a third-part firewall (like CFP 3), he wouldn't have any problems with that. The keylogger will be installed, but CFP 3 will prevent the important information from leaving the computer.

That is an option I had planned on using later after testing with Windows firewall. Something that could see and stop activity if AE doesn’t hack it.

Well in this case you will like what we will be launching soon.

And what would you be launching?

jasper

One thing I did forget to mention is that if you bought both DeepFreeze and AE it would cost you $90. That is per year every year. Not real cheap in my eyes.

jasper

Ok last night I tried dowloading files from the internet and from testmypcsecurity to test them on this setup and all of the files were allowed to be downloaded to my desktop as I allowed them to be save to my desktop from Sandboxie. They were all .zip files so I double-clicked all of them seeing if a careless user could get any of them to run and AE stopped all of them and would not let me run any of the .exe files.

What did bother me was I made my own batch file with notepad and placed it on my desktop. I then ran it expecting AE to stop it and it didn’t. This is supposedly an executable so it should have stopped it as I made it while AE was installed and active. Not good.

I then tried the same thing with a .vbs file that I made with notepad and AE did not stop that from running either. Also not good.

I am guessing that since wscript.exe is considered safe on the whitelist of AE that it doesn’t even try to stop it and there is no way to add extenstions in AE.

To be honest I have tried the .bat file while I was running CFP3 and it did give me a popup for wscript.exe,

On a reboot the .bat file was gone and everything was as it was before but the system could have been compromised before a reboot and as stated before anything could have been running without me knowing about it.

Since I am trying to see if a person could just do anything they please and not be affected this doesn’t look to good so far. I guess if everything you download is an .exe file AE will stop it but now I am wondering that if it is a .bat file will it stop it or not from the outside. I guess it would depend on what the .bat file starts on the pc as to what damage is caused.

later

jasper

I was quietly following so far, but this is better than JamesBond, coz it’s happening as we speak. Don’t stop the tests, jasper. :-TU

In an ideal scenario, (not Dilbert – like ;D ), the sandbox would be achieved by using a remote desktop, like a remote terminal in UNIX (they are some experiments of virtual desktops on the web, but I’m more confident in my own). Maybe an idea for “…what to develop next?”

How did it went with Delvolume test from testmypcsecurity?

If I had a test machine, I’d install also Client for M$ Networks” with NetBios, SNMP, Gateway discovery, and the list can go long. Many install those together with windows, just in case – even if they don’t need any – Messenger, also. There is much debate these days concerning ports 135-139, 445 on the FW treads.
And then, you could share – password protected – one folder from your RAM disk.

Looking forward to your next tests,

The only way i found to be warned about malicious script actions in CFP v3 is to not have wscript.exe in computer security policy (not trusted application). Because if you have it and it is allowed something to do, malicious script would have same permissions.

How did it went with Delvolume test from testmypcsecurity?

The DeletVolume test is what got me to thinking about doing this. I am a firm supporter of Comodo and I use CFP3 and CMF in my normal security setup without any problems at all. I am not trying to discredit Comodo by doing this test but I was just curious if a normal person could use these two programs (which have no setup to speak of) and go on the internet and survive unscathed. I am going to go anywhere I want and click on anything I want to see if this setup will stop the infection or put my system back once I would get infected.

I am going to test the download/click anything part first then I will disable AE and run the tests on mypcsecurity to see what happens. I figure once I see what can happen then I can deal with that part later to try and see if it can be stopped in a simple and easy way.

The only thing that can be changed in AE is the Low/High security slider and there are 2 tabs to allow certain files and folders to be exempt from AE. On the High setting you also have the option to stop the Network, stop Delete, stop Copy and Stop the CD. I have Stop Copy and Stop CD checked and seems the Stop Copy is what is stopping the .exe files from running. I did read that the Stop Delete can cause problems as some files that Windows modifies and adds are affected so I left it unchecked for this reason to keep conflicts to a minimum.

The only way i found to be warned about malicious script actions in CFP v3 is to not have wscript.exe in computer security policy (not trusted application). Because if you have it and it is allowed something to do, malicious script would have same permissions.

I agree as I tried this with CFP3 and if I did not allow wscript.exe the first time then you would have to disallow all of the other files also, which could be a lot of them. Yet the second time you would run it after not remembering previously it would not ask and would run everything. I’m sure that it can be configured to stop it but his is my experience with it. I am going to try and see if I can tighten that up when I get back to my old setup with your suggestion.

From reading other threads on all of the security forums that I go to I get a sense that average joe wishes they could just get on the internet without having to learn anything and they are protected. That’s a tall order to have to try and do. That is the point of this test. I am trying to test something that uses virtual programs to just go out on the internet and just click on anything I feel like. I have never seen a test where they just surf anywhere and see what happens. No controlled tests, just whatever happens happens. If it doesn’t work out then maybe it can be fixed and something learned.

One thing I did not mention previousy, I do have 4-5 other on-demand scanners on here and disabled until I get ready to shutdown. I scan with all of the programs before I shutdown to see if they find anything. So far nothing has shown up and I also scan when I first boot to see if something might have gotten thru the reboot. Yeah that takes awhile to do but I have to be fairly sure that I am starting with a clean system.

Some things that seem to stand out already are:

1. how to stop .vbs and .bat files from running even if they are put on the system by the user. There should be a way to add file extensions that can’t be run if they were not on the system from the start.

2. how to be sure that I am not infected while I am surfing and give out confidential info. Sandboxie should stop this on everything but port 80 but I have seen some tests supposedly get out port 80 with Sandboxie. Up for suggestions on this one.

I am hoping for suggestions and ideas from everybody as that is what this forum is good at. It has to be simple though or I won’t use it. Something the normal joe can do without much effort.

I would also like to thank Melih for allowing me to post this test.

Now on to the dark side

jasper

Jasper, on Anti-Executable, you should read from Rich’s posts (Rmus in Wilders forums). His website also has a few tests by him with several malicious programs/tests.
http://www.urs2.net/rsj/computing/tests/Anti-Exec/index.html
So far, from his searches, all malware he was able to find, even if initiated by a script, tried to execute a BINARY file. That’s what AE means by executable, binary files (exe scr dll and so on). AE blocks all.
Here is his page on scripts:
http://www.urs2.net/rsj/computing/tests/scripts/index.html
Hell, here’s his whole site ;D (where i finally got the hang of TCP/IP and firewalls with Kerio 2.1.5):
http://www.urs2.net/rsj/computing/

AE’s “problem” is being rigid. It basically scans the whole drive, puts all executables found in the whitelist, and then blocks everything (and aditionally as you saw, block the download of executables).
It’s primary market is what Melih refers to above, though it’s usable for home pcs.
There is no blacklist, there is no allow button. Only on, and off + scan.

There were freewares that did the same, but more flexible: Exe Lockdown or something, and Abtrusion Protector (still available here - http://www.pcworld.com/downloads/file/fid,56608-order,1-page,1/description.html ).
Exelockdown doesn’t MD5 the files, that’s it’s main issue. Abtrusion’s way of working is fantastic. But it’s no longer developed, and has a few annoying bugs - which don’t seem to affect it’s blocking capabilities note. I don’t know if they can block absolutely all executables, since i never read or tried any tests on them.

Instead of wasting your time reading my post , i suggest you do an (advanced) search in Wilders for “Anti executable” by user “Rmus” . For scripts do the same with “script” or “script block”, perhaps also “Wormguard”.
I should have the threads bookmarked, but i don’t. I’ll try to fish the best for you.

On script blockers:
The best script blockers are able to block imbedded scripts as well (in doc, xls…), and imo they are RegRun’s RunGuard (big problem is it’s a suite of utilities, imo very confusing), WormGuard (from DiamondCS - word of caution, don’t buy anything from them - DiamondCS Support Forums closed | Wilders Security Forums) and Script Sentry. All of them have issues, but i tend to like Script Sentry and WormGuard (hey the trial from MajorGeeks works…). In fact, script blocking seems to be rather problematic, since it’s not just wscript.exe. The browser does it’s own interpreting, Office, etc.

Script Defender can block custom extensions, but that’s about it.

I’ll get back on this.

These are a few i found. It’s late, i give up
Hope you’ll find them useful!

Cheers

Ok, here is what i found so far to block them with d+ of v3:

One can have wscript.exe and cmd.exe as trusted under computer security policy. The trick is that when someone tries to execute .vbs or .bat file alert is shown “explorer.exe tries to execute wscript.exe” or “explorer.exe tries to execute cmd.exe”. So on this stage you can allow known script and block any other.

Please correct me if i’m wrong and there is a way to pass commands from .vbs or .bat file directly to wscript.exe or cmd.exe in such way that d+ cannot intercept them.

Thanks Pedro and I will go and read the other threads that you have posted.

Thanks Pedro, I had already read the Wilders stuff but the one link to the person that has tested AE pretty thoroughly was very interesting. According to his tests AE does a pretty good job of blocking stuff. He has proven to me that AE does the job. I see no point in testing AE further as he has proven to me that it works.

As far as testing DeepFreeze I did try all of the pertinent leak tests at testmypcsecurity and I was able to return the OS to its original state after a reboot each time, including after running DeleteVolume. DF is kinda quirky at releasing the OS for changes and LowWaterMark had mentioned that previously in the posts at Wilders. So I think it does it’s job fairly well also.

Now to my original intent at posting this thread. What intrigued me was AE. It seems to have the ability to stop anything off of the internet, including zero-day threats. I had been wanting to test running without an AV/AS by using Comodo firewall\D+ for some time and this got my peanut brain thinking (not always good). Do you think Defense+ could be setup to protect a person like AE does or is it already there with the default settings? Has it ever been tested anywhere thoroughly like the AE test. I am talking real world drive-bys, zero-day attacks, and the like? I have really never dug deep into D+ yet as I have been too lazy with an attitude that if they say it works and it isn’t causing me any problems then it must be working.

Another thing that I noticed, from the Matousec tests, he is testing the firewalls without an AV present and is basically testing D+ to stop viruses, malware, and the like. What I want to do is to be able to stop a rogue program dead in its tracks at the first sign of something not right and D+ would stop all of the other processes from running too with just one popup telling me that something tried to mess with my system and that it was stopped. The rest of this thread hopefully will be, what is the least I can do to achieve this.

Ok, here is what i found so far to block them with d+ of v3:

One can have wscript.exe and cmd.exe as trusted under computer security policy. The trick is that when someone tries to execute .vbs or .bat file alert is shown “explorer.exe tries to execute wscript.exe” or “explorer.exe tries to execute cmd.exe”. So on this stage you can allow known script and block any other.

Please correct me if i’m wrong and there is a way to pass commands from .vbs or .bat file directly to wscript.exe or cmd.exe in such way that d+ cannot intercept them.

@Ragwing,

I have been fiddling with stopping wscript since you posted and I was not ignoring you but waiting to get to this point of trying to set up D+ before I commented. I did put wscript in the My Protected Files section and made it an Isolated Application, without modifying anything else. This was after I had already rebooted so it did stop it from running with a pop up saying I didn’t have rights to run the file and stopped it dead. I also tried to run it from a command prompt and I got “access denied”. This is what I am wanting, no other prompts just kill it and keep anything else from the process from running. But, when I rebooted this morning I found that explorer.exe and svchost both were trying to access wscript.exe and were being blocked in the D+ log. Nothing out of the ordinary happened on bootup as I was able to get a connection to the internet and everything seemed to be normal. Blocking access to wscript this way I think could be done but then I think I might try going into wscript and allowing access to it by listing all of the files that can have access to it by using the instructions in the screenshot below and the D+ log as a guide. What I hope to find out by allowing these files access to wscript is do these files having access to wscript compromise the protection. I am trying to dig thru the help file on D+ to see how it works so I can get a better understanding of it and how the chain works.

Looking forward to comments from all. I am looking for cold hard facts here. If you have a way to stop something and can prove it from having tested it or an idea on how it might be done then please post your idea so all of us can either try it or learn from it. My goal is to stop anything that is not on my clean system from the beginning dead in it’s tracks with a popup saying it has been stopped and no other processes can run. Nothing to clean up (Not wishing for much am I?). TIA

One warning I should probably give to people following this thread is that if you don’t have a way of restoring your system then please don’t try anything suggested until the changes can be proven to be safe and reliable. Even changes that are determined to be working ok on my system may not work on yours so keep that in mind and be prepared to lose your OS and have to restore it from scratch if something goes haywire.

later

jasper

[attachment deleted by admin]

jasper, I have Windows Script Host (wscript.exe) disabled, and I haven’t encountered a single problem. The easiest way to disable it is not to use Defense+. Instead, go to %windir%\system32\dllcache\ and delete wscript.exe, then go to %windir%\system32\ and remove the extension for wscript.exe so it’s only wscript. This way, it can’t execute the scripts, as Windows doesn’t know that wscript is an .exe, so wscript can’t be started.
I think there also should be a setting for this in either gpedit.msc or secpol.msc.

Cheers,
Ragwing