-{ Quote: ""Virus writers' goals have changed," Amir Lev, CEO of CommTouch, said in an e-mail interview with SecurityFocus. "They are doing 'good' business now. They do not focus on finding vulnerabilities in Microsoft and other products, they look for 'vulnerabilities' (in) the AV (antivirus) systems."" }-Article (http://www.securityfocus.com/news/11446)

In the article it has a good write up on behavior blocking. What is the best behavior blocking program available right now?

Some symantec products and One-care have been reported as having known vulnerabilities but the painful truth is any piece of code can be written to break another piece of code and with that anything can be conceivably backdoored:'(

If ever there was an advert or story to promote security through obscurity:thumb:

The article seems to be an extension of a point I brought up in a seperate thread here (http://www.wilderssecurity.com/showthread.php?t=167613). While I discussed the trend from the perspective that current AVs are incorporating trojan and spyware protection (thus reducing the demand for stand-alone anti-trojan and anti-spyware programs and eventually making them a thing of the past), the article extended it to include behavior blockers (HIPS). Similarly, towards the end of the article, it explained how todays AVs will become comprehensive anti-malware programs, but will likely maintain the name of 'anti-virus' due to the nature of the market.

-{ Quote: "In the article it has a good write up on behavior blocking. What is the best behavior blocking program available right now?" }-
Here (http://techsupportalert.com/security_HIPS.htm) is a comphrensive review of several HIPS programs.

STOP ALREADY with that defeatest attitude.

Malware is at an end, it's only released to attract a chuckle from those who think they have made some internet impact on numerous machines which they definitely have not and cannot.

There is safety in numbers and the number of Anti-spywares plus especially superiorly fashioned ARK's are evidence of that.

Malware is a dying breed like it or not, why? A couple of good reasons avidly avoided by the security forums who fear their hits may drop to an all time low.

RKUnhooker is the King of them all in ARK's like it or not. I can't get Gmer to work on my machine but myriads others find complete satisfaction it it.

Malware is at an end in NTSystems regardless of silly claims to the contrary.

I'm sorry but HIPS like ST, SSM, and PS eliminate those threats in their entirety, i challenge any one to prove different with any accurate results you can display for this community to review.

The AS terminators like SAS easily dismiss plenty of potentiaL THREATS and the RKUnhookr drives these malicious jokers to the surface to expose them for complete terminaton.

Malware cannot match the programs designed to expose them. Case Closed. As i said, there is power in numbers.

For god's sakes end the panics, effective security programs today to those dark code writers have them nearly at their wits end.

-{ Quote: "In the article it has a good write up on behavior blocking. What is the best behavior blocking program available right now?" }-

IMO KAV/KIS PDM (Proactive Defense Module) is the best behavior blocker :thumb:

Hey EASTER.2010, I saw you included Spyware Terminator in your perhaps accurate analysis of the demise of malware. Does this mean you think it is an effective preventer of any malware that is still around?

-{ Quote: "On January 18, .... more than 350 different variants were released, according to report penned by security firm CommTouch Software. Four days later, the number of slightly-different versions jumped to more than 7,300. By the end of January, more than 54,000 variants had hit the Internet,....

....The technique exploits a weakness, not in the software, but in the system. Analyzing malicious code requires, for the most part, human researchers, and the coders hope to overwhelm the human component long enough to compromise as many systems as needed. ....

.....The Storm Worm is likely responsible for creating a bot net that contains more than 20,000 computers and perhaps as many as 100,000, Nazario said. Other evidence appears to indicate that there is more than one Storm Worm-related bot net." }-
How much more proof do we need that blacklist based security apps are an exercise in futility? The quantities alone make signature based detections nearly unworkable. AntiVirs VDF files total over 12 mb now. F-Prot's definition files are over 10mb.
http://i138.photobucket.com/albums/q277/herbalist-rick/f-protdetections.gif
If more of the malware writers decide to use the same tactics, we could easily end up with definition files containing over a million detections, and they'd still be incomplete and outdated from the moment they're released. There's too many ways malicious code can be packed, encrypted or modified for signature based detection to work reliably.

For signature based security software, its vendors, and the users whose security strategy is blacklist based, this storm is going to get worse. The users that have adopted a security strategy based on a whitelist approach will fare much better. Even though it takes some time and planning to set up, it's much easier to enforce a policy that allows 50 or 100 known processes to run than it is to identify and block hundreds of thousands of malicious and unknown processes, files, variants, etc. It can be done at little or no cost, is much lighter on your system, and isn't out of date 5 minutes after the last update, like AVs are. Works on old and new systems alike.
Rick

-{ Quote: "How much more proof do we need that blacklist based security apps are an exercise in futility? The quantities alone make signature based detections nearly unworkable. AntiVirs VDF files total over 12 mb now. F-Prot's definition files are over 10mb." }-Rick,

While I do believe that, in principle, you're correct and eventually a purely blacklist approach will fall under its own weight, I still believe we're a number of years from that point. In addition, pure size of the VDF files is not necessarily a key limiter, it is how that database is indexed/cross-referenced/managed and used.

That said, it is clear that anti-malware products have already started to augment blacklist signatures with additional approaches to stave off this eventuality with the range spanning products like AntiExecutable (pure whitelist) to Prevx (combined white/black lists) to the latest proactive defense modules in KAV/KIS (assessing operational characteristics). All of these approaches work to varying degrees, all have limitations as well.

Blue

-{ Quote: "all have limitations as well." }-
To get another's perspective on the matter, and to perhaps learn something I don't already know, what do you think those limitations of each approach are? Others are of course welcome to comment on this.

-{ Quote: "Hey EASTER.2010, I saw you included Spyware Terminator in your perhaps accurate analysis of the demise of malware. Does this mean you think it is an effective preventer of any malware that is still around?" }-


ST and it's scan detections are not the issue because those linitations are well know but no matter, other AS's like SAS can mose than make up for that,

What AST does do well is intercept malware BEFORE IT can lodge to a pc and thats whre HIPS and it's Resident-Guard supercedes it's scan. Enough said.

-{ Quote: "To get another's perspective on the matter, and to perhaps learn something I don't already know, what do you think those limitations of each approach are?" }-It seems to me that the question, "What is the liklihood that a particular threat will be exploited on my computer," should be considered in developing a security strategy. Yet, it is rarely discussed.

"Limitation" is often used to mean that a security product doesn't cover certain situations. Does that mean it can nullify your security strategy?

With many firewalls including so-called HIPS technology, a simple packet filtering firewall will have limitations to some people. For others, it's not a consideration because of other security measures in place.

Many consider the WinXP firewall limited because it doesn't provide outbound monitoring. However, I can think right off hand of three people using XP's firewall who don't consider it limited, because they think the liklihood of malware installing that would connect out, to be nil. I know two people who don't even use a firewall. None of these mentioned have ever had an infection.

The same rationale of limitation can be applied to Black List versus White List, as you ask. In the Processguard-freeware discussion, fcukdat dismisses claims of limitation with this statement,

-{ Quote: "I stand by the statement if it can't execute it will not infect" }-Now, that takes gumption to say in a public security forum where many of the topics are on the latest sophisticated malware and various esoteric products; and it's evident that this statement is based on an understanding of how exploits work, and confidence in how to deal with them.

In my circle of computer friends, I'm seeing more of this confidence - analyzing carefully the latest threats, seeing what the liklihood is of them being exploited on our systems, and dealing with them accordingly, from the standpoint of understanding, and not falling lock-step in line to get the latest product because we are led to believe that without it, we are vulnerable. As one colleague puts it, "We are in charge of our own computers. We make the decisions, not the market place."

Each person has to decide whether a product's limitation, so-called, is relevant to her/his own computing environment. No one else can make that judgment call.


-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "and eventually a purely blacklist approach will fall under its own weight, I still believe we're a number of years from that point. In addition, pure size of the VDF files is not necessarily a key limiter, it is how that database is indexed/cross-referenced/managed and used." }-
I don't believe it will take nearly that long. If it weren't for their adding whitelist methods, behavior analysis, etc, it would already be happening. Blacklists containing hundreds of thousands or millions of signatures are unworkable. The sheer size of the signature and definition files are one of the primary reasons AVs are so resource and processor hungry. If malware writers kept up that kind of direct attack on AV vendors, we'd have 1.5 million more variants to contend with in a years time.

The quantity of malware is only part of the problem. With so much of it coming from botnets, it gets widespread before the AV vendors get signatures out for it. The ones that have been showing up in my Yahoo spamcatcher mailbox are only being detected by about half of the AVs at VirusTotal.

I'm sure that I'm not the only one here who's noticed how little time elapses between the discovery of a new vulnerability and the appearance of exploits for it in the wild. How many times have we been down this road in the last 2 years? The wmf exploit. Malicious code in JPEGs, DOCs, etc. These exploits can be used for weeks at times before M$ gets a patch out.

If the quantity of malware and the incredible speed it gets developed and spread aren't enough reason to drop the blacklist approach to security, it's nature and the payload it carries should be enough reason in itself. Much of it cannot be removed by an AV if it doesn't recognize it coming in. Some of the malware is getting nearly impossible to detect and remove once it's installed. It hides itself. It defends itself. It directly attacks security software. Much of it is designed to take control over your PC or steal personal info, like account numbers and passwords. The potential cost of an infection has never been higher.

How much needs to be said about the social engineering aspect of malware delivery? Malware writers are incredibly inventive when it comes to convincing people to click on something they shouldn't. Malware can and does turn up anywhere. The common sense approach isn't enough anymore. You can tell users not to visit questionable sites, assuming the average user can tell a questionable site from a legit one. Then again, legitimate sites can and do get hacked and seeded with malware. The seeding of the super bowl site is an example. Factor attacking DNS servers into this. Malware can be hidden in almost any file type anymore. Factor in spoofed file extensions. What apparent file types can be trusted? The advice telling users not to open e-mail from someone they don't know does little if it comes from an infected friend. Simply put, there are no completely safe sites, file types, or sources anymore.

I realize that most readers here know all these different things, but consider their combined effect. The odds have never been higher that you will contact malicious code that your AV doesn't recognize. One missed detection can result in an infection that's nearly permanent. If rootkits keep progressing, we could well see unremovable malware in the near future.

In my opinion, these factors combined make the risk of infection and resulting damage too high to depend on blacklist technology.
-{ Quote: "I stand by the statement if it can't execute it will not infect" }-
Very true. A security strategy that only allows known processes to run and limits their activities to what is necessary for the system to function will not get infected. It's not that difficult to set up a security strategy that's whitelist based. Unless you're a user who always wants to install something new, a whitelist strategy isn't restrictive either. The apps you use run as they should.

I'm not saying that users should uninstall their AVs. They still have their place, but that place is not at the core of a security strategy or system. On my system, AVs are for scanning incoming files. I don't use the resident component. My system is so much faster and more stable now that it doesn't have to check every process and file accessed against an oversized blacklist. My security strategy has 3 basic parts. Everything else is secondary and fills a support role.

Control over the traffic in and out of the PC.
Control over what content can be in the allowed traffic.
Control over what is allowed to run and what those apps are allowed to do.

A security strategy that accomplishes these 3 things will keep a PC malware free.
Rick

I think it's not that bad. Malware writers are evolving, and so are AV vendors. Heuristics still has a long path to go, it seems. I guess there's a finite number of possible actions malware can do, so generalistic signatures can still do a lot.
Signatures also have a quality not present in the other methods: malware clearly identified, no second thoughts. A trojan found is a trojan found, no analysis needed, except verifying that it's not a FP.

It is not good by itself, but signatures have a good advantage, even if you think only for "noobs". I consider myself a permanent half "noob", and some sort of signature scanner has to be on my pc.

-{ Quote: "I don't believe it will take nearly that long. If it weren't for their adding whitelist methods, behavior analysis, etc, it would already be happening. Blacklists containing hundreds of thousands or millions of signatures are unworkable. The sheer size of the signature and definition files are one of the primary reasons AVs are so resource and processor hungry. If malware writers kept up that kind of direct attack on AV vendors, we'd have 1.5 million more variants to contend with in a years time." }-Personally, I believe that you overstate the case.

Let's put some numbers around the discussion. Assume that the total KAV database size is a reasonable indicator of the unique malware population. Right now it's running at ~ 260,000 entries. If you look at the growth rate of this signature database, it is exponential, but it's been a stable exponential since ~March 2005. The doubling period is approximately 20.6 months and has been for the past 2 years. Yes, malware is growing in net current and legacy population, but it is on a very predictable trajectory. That's fairly important since it allows you to plan as well as estimate/simulate how a product will behave in the future. Vendors are not working in the dark, they have a clear path and design objectives in front of them, and part of those design objectives relate to performance.

Now, if you balance that database growth against historical trends in growth of computing power, it's roughly a wash to steady state. I realize we all (unfortunately) don't renew our hardware yearly (Note to self - must discuss this with wife... :)). However, in the 5 years that I've owned my current machines, I have not noticed an inexorable loss of performance due to my AV/etc., in fact, they're either an equivalent or lesser drain on system performance than when I started. As with the hardware, the software end has advanced as well, in part because they have a reasonable idea of the design needs for the immediate future.

I realize that it's only anecdotal, but I simply don't see a major negative impact to date. Given that, I don't see a near term death of classical AV solutions.

-{ Quote: "If the quantity of malware and the incredible speed it gets developed and spread aren't enough reason to drop the blacklist approach to security, it's nature and the payload it carries should be enough reason in itself. Much of it cannot be removed by an AV if it doesn't recognize it coming in. Some of the malware is getting nearly impossible to detect and remove once it's installed. It hides itself. It defends itself. It directly attacks security software. Much of it is designed to take control over your PC or steal personal info, like account numbers and passwords. The potential cost of an infection has never been higher." }-I believe it is important to differentiate between what is extremely unlikely vs. potentially possible vs. somewhat likely vs. likely vs. nearly certain. Many things are possible, only a small subset of that is likely. It's prudent to plan, but the plan has to include an assessment of the realistic scenarios. Yes, there are things such as rootkits out there and while they can create problems once installed, they are not floating in the ether infecting you under a invisible cloak. They're like any other piece of software downloaded to a system - no more, no less.

-{ Quote: "Simply put, there are no completely safe sites, file types, or sources anymore." }-Let's take this at face value. If true, what is a user to do? How do they know if anything downloaded is malicious? Do they disassemble it and use their rudimentary programming skills to figure out the good from the bad? Of course not. So they do need guidance - the guidance of a blacklist.

-{ Quote: "If rootkits keep progressing, we could well see unremovable malware in the near future." }-Everything is removable. Everything. It's only a matter of will and approach.

-{ Quote: "In my opinion, these factors combined make the risk of infection and resulting damage too high to depend on blacklist technology.

...

I'm not saying that users should uninstall their AVs. They still have their place, but that place is not at the core of a security strategy or system. On my system, AVs are for scanning incoming files. I don't use the resident component. My system is so much faster and more stable now that it doesn't have to check every process and file accessed against an oversized blacklist. My security strategy has 3 basic parts. Everything else is secondary and fills a support role.

Control over the traffic in and out of the PC.
Control over what content can be in the allowed traffic.
Control over what is allowed to run and what those apps are allowed to do." }-This is great that it works for you. Now ask yourself, what do you need to know to make this work effectively? In terms of computer operations, it's a fair amount, even relative to longtime casual users. How disciplined do you have to be to make this work effectively? If you're planning to perform demand scanning for all downloaded content prior to use, rather disciplined is the answer. Can it be done? Of course, although it's not a path I plan to follow.

I agree that straightforward whitelist approaches are perfectly viable. A well considered classical blacklist approach is also viable. Hybrid approaches are viable. Approaches not based on Windows are viable. In the right hands and under the right circumstances, a bare Windows PC is fine as well. There are many strategies that are viable and within those constructs an enormous number of specific implementations. AV's can still be the absolute core of a very viable security implementation for anyone.

As for speed, although my PC's are now 5 years old, the bootlenecks still reside in delivery of content, not rendering it on the local machine, and I'm on a reasonable cable connection. A faster machine would be great, but in actual testing, the incremental performance boost is extremely modest at best and not worth it to me at the moment.

Blue

-{ Quote: "Control over the traffic in and out of the PC.
Control over what content can be in the allowed traffic.
" }-

Hi herbalit, nice post. Can u explain the difference between two and how to accomplish this? BY a firewall only I think.

@aigle:

-{ Quote: "Control over the traffic in and out of the PC." }-
Firewall.
-{ Quote: "Control over what content can be in the allowed traffic." }-
Content filtering: Adblock + NoScript, Proxomitron, etc.

If nothing else i think we can all agree that malware publishers have grown more innovative and if theres any consolation at all to be had in all this at least the script kiddie makers have bailed away from the more intelligent and knowlegable designs that better writers have been able to achieve some success at.

Those guys are true testers of the validly of security programs as it requires as much intensive study and research testing as AV/AS developers themselves.

Thanks.-{ Quote: "@aigle:


Firewall.

Content filtering: Adblock + NoScript, Proxomitron, etc." }-

-{ Quote: "Malware is a dying breed like it or not" }-

Any real life statistics?
-{ Quote: "
I'm sorry but HIPS like ST, SSM, and PS eliminate those threats in their entirety, i challenge any one to prove different with any accurate results you can display for this community to review.
" }-

Come on! be realistic. How many ordinary users can handle all this stuff?
They can,t even handle the popups of a simple AV.

So the bad guys are nowadays Anti-Anti-Virus.
And the good guys will now respond with an Anti-Anti-Anti-Virus solution.
Fantastic ::)

-{ Quote: "Any real life statistics?" }-

Links would eat my entire day up but for simplicity sakes one only needs to see the results posted by HIPS users and how incredibly more secure they have become.

In retrospect, an uneducated noobie to the net are prime targets of course but malware is quickly running out of ideas and room to operate, at least so far as XP is concerned.

Do your own personal review of the many HIPS recently surfaced, virtual programs like Power Shadow, and also look at the increased useage of the more recent advanced features (HIPS included) of AV's and the power of the better AS's like SAS.

That is a very formidable front by any stretch if i might say so myself.

U are just being fascinated by HIPS. They have never been for normal users.
Let,s talk about all, not only about yourself or other users of Wilders.

-{ Quote: "U are just being fascinated by HIPS. They have never been for normal users.
Let,s talk about all, not only about yourself or other users of Wilders." }-

HIPS are no fantasy or fasination. I run rootkits/malwares like Gromozon plus viruses and HIPS are very up to the task at intercepting possible forced intrusions. If not for normal users than why are Anti-Virus and even Firewalls getting in on the act now of application firewalling?

There is no hype at all in this newest of innovations, they are becoming and will be commonplace even more with the most popular of security programs as time moves ahead.

It just makes perfect sense to thwart off a potential attack BEFORE the fact instead of having to deal with the AFTER affect of having been invaded.

Aigle is saying, and i agree, that not many people can use that. Not practical.
Maybe you disagree, but this is the point.

-{ Quote: "Aigle is saying, and i agree, that not many people can use that. Not practical.
Maybe you disagree, but this is the point." }-

I see, point taken. Then my own suggestion would be to turn to a Prevx1 that can do all the actions and make those decisions for you bases on a community database they have well established and seems satisfactory enough that many users totally trust.

Surely there are other also interesting approaches, CH, SandboxIE/GeSWall/DefenseWall/etc.
CH drops everything else and concentrates on behaviour, how to identify malware behaviour and block it. Sandboxes are a second firewall to me, and i keep one too.
Prevx1 is more appealing to me, but surely there are other interesting solutions.
Malware writers evolve, and so does the other side of the law.

Don´t forget social engineering.

I think for an average user like myself, although I am armed with the knowledge obtained here, that a router firewall combined with Firefox, an Antivirus, Windows Firewall, and Cyberhawk would be all that is needed. CH is basically a set and forget program with pop ups, if there even were any, that are easy for an average user to understand. Of course because of the knowledge obtained here, even as an average user who's behind a Router SPI Firewall, I still have AVG AV and FW, Spyware Terminator, and Cyberhawk installed currently. LOL.

-{ Quote: "Assume that the total KAV database size is a reasonable indicator of the unique malware population. Right now it's running at ~ 260,000 entries. If you look at the growth rate of this signature database, it is exponential, but it's been a stable exponential since ~March 2005. The doubling period is approximately 20.6 months and has been for the past 2 years. Yes, malware is growing in net current and legacy population, but it is on a very predictable trajectory." }-
I doubt that rate will remain constant if malware writers continue the attack described in the first post. If more of the malware writers start using this tactic, what would be the result? The vendors coders have to put in more hours or they hire more coders to dismantle variants. Cost increases for users and larger databases the PCs have to deal with. Either way, the user pays for the AV vendors needing to defend themselves.
Consider this point from the article:
-{ Quote: ".....The Storm Worm is likely responsible for creating a bot net that contains more than 20,000 computers and perhaps as many as 100,000, Nazario said. Other evidence appears to indicate that there is more than one Storm Worm-related bot net." }-
Much of the malware we deal with comes from these botnets. In some ways, these botnets are the evolution of the original computer virus concept. In over-simplified terms:
Virus infects computer, sends infected content to another where it's opened, replicates, and repeats.
Malware spreading botnets are doing almost the exact same thing.
Malware turns computer into botnet component, sends infected content to others where it's opened, turning new PC into botnet component, and repeats.
Same concept, but much more efficient and productive. Like viruses on steroids. Nothing I've seen indicates that this trend will stop anytime soon. If anything, it will increase and raise the exponential growth rate even more.
-{ Quote: "Now, if you balance that database growth against historical trends in growth of computing power, it's roughly a wash to steady state." }-
In other words, advances in computing power are consumed by the security apps designed to protect them, leaving the user with little if any gain for their money. I'd call that a steady loss of efficiency, a waste of processor power, and an unnecessary waste of electricity. When we demand more efficiency from everything else we use, why do we willingly accept the opposite with computer technology?
-{ Quote: "I realize we all (unfortunately) don't renew our hardware yearly (Note to self - must discuss this with wife... ). However, in the 5 years that I've owned my current machines, I have not noticed an inexorable loss of performance due to my AV/etc., in fact, they're either an equivalent or lesser drain on system performance than when I started." }-
I'm still running the same 98 box I've had all along. I can honestly say that it's faster and more stable now than it ever was. That said, I'm also at the limits of my hardware, especially the processor. With DSL, my processor is my limiting factor, not suprising when it's a 366 mhz. New hardware would be nice. As much as I'd like it, I can't honestly say I need it, and when I do upgrade, the extra speed and processor power will be for me to use, not for some security app to waste and leave me with nothing more than I had.
-{ Quote: "I believe it is important to differentiate between what is extremely unlikely vs. potentially possible vs. somewhat likely vs. likely vs. nearly certain. Many things are possible, only a small subset of that is likely. It's prudent to plan, but the plan has to include an assessment of the realistic scenarios." }-
That sounds good on paper, but I know of no realistic way to tell what the next attack vector may be. Go back a few years for a moment. If someone had told you that looking at a JPEG would infect your system, would you have believed it? How about PDF files? Flash files? The WMF exploit, who had a strategy that anticipated that coming? Since there's no way to know what's coming next, how do you decide what is likely? For myself, I work on the assumption that if something can be exploited, it will be.
-{ Quote: "-{ Quote: "If rootkits keep progressing, we could well see unremovable malware in the near future." }-Everything is removable. Everything. It's only a matter of will and approach." }-
This is assuming that such a rootkit gets detected. That's half the battle anymore. It's also very much a factor of the users skill and knowlege. Many of us here could win a battle with a rootkit but the average user? Factor in the OS version. With 98, I don't have to fight that battle at all. With XP, the battle is there but can be won. Then there's Vista. Where that stands with removing rootkits remains to be seen.
-{ Quote: "-{ Quote: "My security strategy has 3 basic parts. Everything else is secondary and fills a support role.

Control over the traffic in and out of the PC.
Control over what content can be in the allowed traffic.
Control over what is allowed to run and what those apps are allowed to do." }-Now ask yourself, what do you need to know to make this work effectively? In terms of computer operations, it's a fair amount, even relative to longtime casual users. How disciplined do you have to be to make this work effectively? If you're planning to perform demand scanning for all downloaded content prior to use, rather disciplined is the answer. Can it be done? Of course, although it's not a path I plan to follow." }-
Regarding the scanning downloaded content. If you use a download manager with integrated AV scanning, it's done for you once you set it up. That said, scanning downloaded material should be part of any security policy, especially if any executable content is involved.

Yes, a certain amount of knowlege and some discipline are needed. How much depends greatly on which version of windows you use. The traffic and application control aspects of this are much simpler on a DOS based unit than with XP. I don't have to deal with services. The OS works fine without system components getting internet access. There's far fewer processes to control (or to be exploited). I'm limiting this to the software aspect of the policy. I'm definitely not recommending using a software firewall to replace a router or anything like that. Far from it. IMO, both are necessary as routers are not impervious to attack. Even though they are hardware, they use their own software, which can have vulnerabilities of its own. The one supplied by my DSL service for instance is limited to an 8 character administrative password (my next investment, a better router).

My security strategy starts with traffic control via a rule based firewall. Only the software and system components that actually need internet access get it, and then only to where they need to connect. Apps requiring incoming connections are limited to the specific IPs they need, with ports and protocols to be used specified. While some knowlege of basic internet function is necessary (IP address structure, basic protocol types, port numbers) writing such firewall rules is more of a discipline issue. It's the taking the time to look up the IP in the firewall alert to see who it belongs to, the noting of what ports and protocol it's using, then making rules specific to those, restarting the app and doing it again, as many times as it takes. It's the avoiding of the "allow all" options for apps that don't need it, whether it's IPs, ports, direction, etc. Why let your AV updater connect to anywhere when it only needs access to a very few IPs?

Some apps like the browser can connect to anyplace if the user allows it. Mine is routed thru Proxomitron on a non-standard port. In some instances, a browser will want to use a non-standard port that just won't work thru Proxomitron. Game sites are one example. On my box, I have a rule specific to that sites IP and the port the game server uses, avoiding an "allow all" rule.

Proxomitron fills most of the content filtering role on my system. Other examples are the hosts file (filtering adservers, malicious sites, etc), NoScript, etc. Your browser settings have a lot of say here as well. Of the 3 basic control policies, this is probably the most complicated and takes the most time. By keeping the content filtering separate from the traffic and application control aspects, the user can choose what best suits their needs and skill. An app like Proxomitron can be intimidating when you start studying how the filters work, but there are some good sets freely available. Some filter sets allow whitelists for sites for different contents, like a list of sites allowed to use Java Script. Way too many options to cover here.

The control of applications and their activities can be anything from system policies to HIPS. On my box, it's SSM and a ruleset that has all parent-child settings, allowed hooks, etc specified. IMO, the policy editor for 98 isn't a viable option. Too easy to defeat with tactics that have been used by malware for some time. It does take some knowlege but more discipline to take the time to specify each allowed parent and child, but the result is a security policy that doesn't allow risky behavior or unknown processes. It no longer matters if your AV doesn't recognize "malware app A". Unless you choose to allow it, it's not going to run or infect you. With SSM for instance, if you run with the UI disconnected, the user won't even be asked to allow it. It's just blocked.

This type of policy isn't for users who like installing new apps regularly. It isn't for users who don't know windows explorer from Internet Explorer. It's for those who know what's on their systems and have them equipped the way they want them. Once finished, your security apps and policies can protect you in most any situation. I'm not careful about where I browse. I don't have to be.
Rick

Wow herbalist that was very informative, but it still makes me want to ask you if you agree at all with what a poster here in this forum says about simply using ProcessGuard Free for protection. If it can't execute it can't infect. I am beginning to think that maybe this is true, and just using PG Free with an AV and maybe Cyberhawk really isn't the best way to go, especially if you're behind a router firewall and using Firefox with NoScript.

-{ Quote: "Wow herbalist that was very informative, but it still makes me want to ask you if you agree at all with what a poster here in this forum says about simply using ProcessGuard Free for protection. If it can't execute it can't infect. I am beginning to think that maybe this is true, and just using PG Free with an AV and maybe Cyberhawk really isn't the best way to go, especially if you're behind a router firewall and using Firefox with NoScript." }-

Who me;D

Just to clarify i am not saying to soley use PG but to use it as the big iron up front.Again this will suit someone who has amatured system setup that dose'nt download new softwares all the time.

Anti- exec should be the big iron up front for all mature systems IMO

Ultimately stuff like this boils down to the end-user's ability and confidence in their arrangement.Putting it in slang i need 2 firewalls personally,one between the web and my computer and the other between executable code and the computer's memory.These 2 forms of firewalling offer the control that i require and have confidence in but as always what works for me might not be suitable for all :)

I also use IDS to patrol inbetween but in all honesty i don't need it but just have a softspot for the cute little software*puppy* with added hosts protection(saves manually editing the hosts file after some types of malware infection when in malware hunting mode).

Yeah you fcukdat. LOL. I have PG Free installed now with my AVG AV and FW, along with Spyware Terminator and Cyberhawk. Do you think I should get rid of ST? I feel CH gives me some rootkit protection and compliments PG Free more, but I'm not sure. Just wondering.

-{ Quote: " I know of no realistic way to tell what the next attack vector may be. Go back a few years for a moment. If someone had told you that looking at a JPEG would infect your system, would you have believed it? How about PDF files? Flash files? The WMF exploit, who had a strategy that anticipated that coming? " }-Actually, anyone who incorporated White List tactics as part of their security strategy.

wmf zero day (http://urs2.net/rsj/computing/tests/wmf_zeroday/)

Right off hand, I can think of 7 I know personally, and one in the forums, fcukdat using ProcessGuard

[Edit: Ade, I just saw your post!]

-{ Quote: "Since there's no way to know what's coming next, how do you decide what is likely? " }-You don't have to know!

From an article discussing White List (http://www.techlinks.net/WhitePapers/An%20Ounce%20of%20Prevention%20-%20SecureWave.pdf) from two years ago:

-{ Quote: "The approach most enterprises have taken to endpoint security has basically echoed the defensive posture taken with their networks, firewalls, anti-virus and intrusion detection. All of these are effective to some degree, but hardly provide a complete answer. These are all geared toward identifying bad processes and malicious code. Trying to keep up with everything that is bad is a monumental task-one that is falling behind and should be reserved for reactive clean-up and maintenance processes. Trying to maintain an up-to-date 'blacklist' cannot be expected to work over the long run.

What if we were to take a more proactive approach and determine which processes and software should be allowed to run instead? Such a whitelist approach exists today in the form of software solutions that enable enterprises to enforce a security policy for the use of approved application, denying all else by default. This approach can effectively eliminate the need to patch in emergency mode. Malicious code by default is not on the white list which means that enterprises can rest assured that their exposed software vulnerabilities are safe from potential exploitation, enabling their IT staff to work proactively to develop scheduled patch deployments rather than being in a constant state of emergency." }-There is no reason why anyone should be infected from an inadvertant mishap or zero day exploit.

Now, downloading/installing stuff is another situation, and requires different tactics. But that's another topic.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Yeah you fcukdat. LOL. I have PG Free installed now with my AVG AV and FW, along with Spyware Terminator and Cyberhawk. Do you think I should get rid of ST? I feel CH gives me some rootkit protection and compliments PG Free more, but I'm not sure. Just wondering." }-

Without going too OT this is your decision entirely and is down to what you feel confident with.

I will say this from my level of knowledge about malware rootkits(and thus protection against) is that inorder for a rootkit trojan to be loaded code has to execute in the first place by the dropper file.

So with that for me driver loading is a non issue for protection against rootkits because the droppers are caught by the anti-exec function of PG free.

Again this boils down to what folks know and are confident using:thumb:

Good post Rich:thumb:

Quotes from the article:

"Every day, it has been a new set of subject lines and new tactics to get people to open these," Allysa Myers, virus research engineer for security software maker McAfee, said in an interview with SecurityFocus.”

“The program compromises systems by luring their users into opening the attachments of messages with subject lines regarding current news events, including violent storms in Europe--a characteristic that led to the program's naming.”

Just imagine the reduction of infections if more common sense was used in dealing with email attachments. I'm surprised this isn't brought up more in this thread.

-{ Quote: " My security strategy has 3 basic parts. Everything else is secondary and fills a support role.

Control over the traffic in and out of the PC.
Control over what content can be in the allowed traffic.
Control over what is allowed to run and what those apps are allowed to do.

A security strategy that accomplishes these 3 things will keep a PC malware free.
Rick" }-

Yeah, I would agree :)

-{ Quote: "I doubt that rate will remain constant if malware writers continue the attack described in the first post. If more of the malware writers start using this tactic, what would be the result? The vendors coders have to put in more hours or they hire more coders to dismantle variants. Cost increases for users and larger databases the PCs have to deal with. Either way, the user pays for the AV vendors needing to defend themselves." }-herbalist,

You may be correct at some point, but I do prefer to work with objective data if possible when it is available. The updated figure below is current as of today (3/10/2007). There are absolutely no indications of deviations from the trends established over the past couple of years, despite all the hand wringing over the past 6 months or so. Will things change at some point? I'm sure they will, but the doubling time could increase as well with changes in detection technology. I've provided estimated doubling times for each period since 2001 as well.

-{ Quote: "This is assuming that such a rootkit gets detected. That's half the battle anymore." }-I realize that, I was simply reacting to your use of the term unremovable - everything is removable - everything.

-{ Quote: "Regarding the scanning downloaded content. If you use a download manager with integrated AV scanning, it's done for you once you set it up. That said, scanning downloaded material should be part of any security policy, especially if any executable content is involved." }-..and you've just lost the majority of users here. The "once you set it up" is where that happened.

-{ Quote: "I'm definitely not recommending using a software firewall to replace a router or anything like that. Far from it. IMO, both are necessary as routers are not impervious to attack. Even though they are hardware, they use their own software, which can have vulnerabilities of its own. The one supplied by my DSL service for instance is limited to an 8 character administrative password (my next investment, a better router). " }-There is no need for a better one. Let's be realistic here. Disable remote administration, use 8 characters, and you're still concerned to the point of investing in a new router?

-{ Quote: "....Once finished, your security apps and policies can protect you in most any situation. I'm not careful about where I browse. I don't have to be." }-What you do is fairly complicated. I realize that it's exceptionally safe. Let's just say, none of the machines I use go to those measures and as far as I can determine, I am as safe.

It's great that you have an approach that you're comfortable with. However, extremely simple approaches do work quite ably as well.

Blue

-{ Quote: "To get another's perspective on the matter, and to perhaps learn something I don't already know, what do you think those limitations of each approach are? Others are of course welcome to comment on this." }-At least in my view...

Blacklists (i.e. classical AV's):
If a file is flagged a user has an unambiguous caution raised. It may be a false positive - which should always be a recognized as a distinct possibility for a file on a system for an extended period of time prior to the flag - but the alert is sounded and the alarm is unambiguous
Unrecognized malware gets a pass with nary a whisper. This is a very time dependent issue, but a key one. No doubt about it, this is the Achilles heel of the blacklisting approach.
Experts schooled in the art are responsible for determining whether or not a file is malicious. A user can ignore the guidance, but the guidance is explicitly provided and based on a technically sound analysis, not a guess.
Whitelists (i.e. AntiExecutable, process execution control applications, etc.):
Effectiveness can be strongly dependent on the implementation.
In some cases, Anti Executable for instance, the whitelisting proceeds from a "system state known good" assumption and really just controls future exposures. Validation of system cleanliness is absolutely required.
Process execution control applications (e.g. Process Guard, SSM, etc.) whitelist according to user input. Unfortunately, ordinary users have little in the way of an objective basis to render informed input. Often, the allow/block decision is nothing more than pure guess. If a system is prevalidated as clean by a blacklist based scan, and desired applications are given approval immediately after, it's not that different than, for example, AntiExecutable. The main difference in this specific case would be the activation barrier to add new applications, which is rather higher with AntiExecutable.
HIPS style whitelist approaches tend to be rather noisy immediately after installation as the base execution and communications profiling occurs and is approved by the user. If the user can get through this phase, great. However, I've seen all too many cases of alert fatigue with perfectly mundane operations being flagged as malicious, when all they are is an operation that is potentially malicious, but only if initiated by malware. Valid programs often perform the same operations.
Programs such as Prevx try to get around this with a hybrid community based approach tiered with known good/known bad/unknown states.
Personally, I think whitelists are best for reasonably static machines, which isn't an overly exclusive state. Most users are not constantly changing applications or trying out new downloaded applications.
Firewalling is whitelisting after a fashion, particularly with respect to application control. Again, good in principle, but how does a common user render an informed choice of whether to allow or block?

If you were to ask me what I'd implement for as comprehensive coverage as I'd ever need for any circumstance, it would be along the lines of: Classical AV, any decent one.
Lockdown installation/running of new executables either via OS policy management or a third party application such as AntiExecutable/etc.. The latter approach is operationally easier and can be failsafe for most users.
Software firewall focusing only on application based control. That's the only filtering I'd do
Router. Verify remote administration is disabled, change default password.That's it, done. This is a pretty much install, five minutes of configuration, and go approach. The only questions to the answered should be allow/block by applications on first transit through the firewall - which for most users will be less than a couple of dozen prompts in all and nothing in the way of complex configuration (unless that is desired by the user).

I do believe one can get by perfectly well with less, however.

Blue

I agree with the basic statement "If it can't execute it can't infect" as long as the term "it" referrs to a malicious process. Where this statement can run into trouble is when "it" is a legitimate process being used maliciously. "Regedit" is not a malicious process, but a script using it to delete the autostart entries for your security apps would definitely qualify as malicious usage of a legit app. If "it" also includes the malicious usage of legitimate applications, then the statement holds true.

I don't know Process Guard well enough to know how well it controls the activities of the allowed processes as I prefer SSM. Even then, I wouldn't ask SSM to stand alone. I'd still want a firewall to prevent the internet content from reaching the application firewalling software.

The combination of a router, NoScript, and either PG or Cyberhawk is a variation of a security policy using the 3 control rules. Personally, I like more control than that, especially of outbound traffic, but what you describe does serve all 3 functions to a degree. No matter which apps you use, the resulting protection is always a matter of degree. There is no perfect solution as long as windows is the operating system. No matter what the setup, there's always some way to defeat it. Often when the software and its configuration is strong, the user is the most vulnerable target, which is one of the reasons I suggest disconnecting the user interface on apps like SSM. The user doesn't get prompted with a potential mistake.

I don't view a system from the perspective of PG or SSM being "up front". The firewall controls the traffic from the net. Basically it's first in line and will be responsible for keeping out all attacks that don't pass thru permitted channels. By controlling traffic, it stands between the net and your application firewall or HIPS, preventing a direct attack on it. In turn, the HIPS prevents malicious apps from running and attacking the firewall. Apps like SSM can restart the firewall if some type of internet attack terminates it. By interlocking or "layering" the components, the strength of the package is more than the strength of its parts. That's what you strive to set up.
Rick

-{ Quote: "At least in my view...

Blacklists ....

Whitelists ...." }-Superb analysis (as usual)

That should be a sticky post somewhere as part of developing a good security strategy.

-rich