Not sure if anything like this has been discussed on Wilders before, but here we go.

I'm just wondering what people's thoughts are with regards to HIPS and Anti-Executable programs. What is the big advantage of a HIPS over an Anti-Executable? If an unknown executable is unable to even start/run, wouldn't that provide you with bullet-proof protection alone? Where would the HIPS play any additional role?

arran also made an interesting point about controlling the behaviour of trusted applications. With regards to security vulnerability, what is the advantage of doing this? If you've trusted your executable, shouldn't you allow it to run freely? Sure, that executable should NOT be able to start/run other executables - Anti-Executable programs prevent this from happening too (default-deny).

So what are people's thoughts on this? Rmus has clearly shown us that Anti-Executable programs are pretty much bullet-proof, and I'm finding this to be the case too. I've tested quite a few malware, and nothing seems to be able to bypass the default-deny of the Anti-Executable.

I guess one specific question I have is whether anything can modify your computer dangerously without using an executable process (and thus would bypass the Anti-Executable). Thanks for any thoughts.

-{ Quote: "arran also made an interesting point about controlling the behaviour of trusted applications. With regards to security vulnerability, what is the advantage of doing this? If you've trusted your executable, shouldn't you allow it to run freely? Sure, that executable should NOT be able to start/run other executables - Anti-Executable programs prevent this from happening too (default-deny). " }-With a program such as Faronics Anti-Executable, you would turn off the protection to install a program. During the installation process, other executable files - - .sys, .dll -- will install. You need to leave AE off until all of the files have installed. Once AE is turned back on, all of the executable files will be added to the White List, so that the new program will indeed be able to start/run these other executables.

-{ Quote: "I guess one specific question I have is whether anything can modify your computer dangerously without using an executable process (and thus would bypass the Anti-Executable). Thanks for any thoughts." }-For convenience, executable file types are classified into two categories:

binary - .exe, .dll, .ocx, .sys etc


script - .vbs, .js etc


I don't know about other Anti-Executable programs, but Faronics AE blocks only binary executable files, not scripts. Theoretically, a script file -- .vbs etc -- could do damage.

I haven't seen this method used in exploits in a long time.

By the way, these scripts refer to files executed on the hard drive or flash drive, not scripts embedded in web pages, which are controlled/interpreted by the browser.

----
rich

MD blocks script files from running.

with regards to using AE2 or a HIPS I guess it depends on if you want to control the behavior of trusted apps.

I personally need a HIPS to stop my igzones program from terminating age of conqerors. I agree its not a security issue but more of a inconvenience when this happens.

I also like to have file and folder rules to prevent programs from reading sensitive files, like Admuncher which it always tries too and I don't know what information it sends out on the internet.

-{ Quote: "
What is the big advantage of a HIPS over an Anti-Executable? If an unknown executable is unable to even start/run, wouldn't that provide you with bullet-proof protection alone? Where would the HIPS play any additional role?" }-

Far more detailed alerts on what the executable is attempting to do during the installation process, and granular control for the user in what she/he wants to allow. But is this an advantage? Well, it depends entirely on what the user wants to see, the number of alerts their willing to deal with, and perhaps most importantly, their technical level of understanding of what the alerts actually mean.

-{ Quote: "arran also made an interesting point about controlling the behaviour of trusted applications. With regards to security vulnerability, what is the advantage of doing this?" }-

He might be refering to trusted appplications like explorer.exe, rundll32.exe, cmd.exe, svchost.exe, and other Windows processes and services which often have tremendous influence on other process. Mostly the influence is not only harmless but also necessary, but malware could attempt to enlist these trusted processes as part of their viral-infesting routine.

-{ Quote: "If you've trusted your executable, shouldn't you allow it to run freely?" }-

For most people, the answer is yes. For the minority who want absolute control over everything...no. They may see something like: "Process abc.exe is attempting low level access to disk", and this could be construed as malicious, so they have, theoretically at least, a chance to kill the installation process at that point.

-{ Quote: "So what are people's thoughts on this? Rmus has clearly shown us that Anti-Executable programs are pretty much bullet-proof, and I'm finding this to be the case too." }-

Absolutely they are. After all, and this has been stated many times by others in this forum, if it can't execute it can't harm.

-{ Quote: "I guess one specific question I have is whether anything can modify your computer dangerously without using an executable process (and thus would bypass the Anti-Executable). " }-

Sorry, I don't know. I think Rmus has answered this regarding scripts?

with preventing scripts from running this could be a way, I haven't personally got around to testing it yet but maybe some one else can? XP antispy hardening tool.

also another reason to use HIPS. some programs such as google earth like to create unwanted child processors such as googleupdate.exe.

bottom line is if you are happy with your Trusted programs running Riot and doing as they please then you don't need a HIPS and Anti Executable is for you.

We could probably be very well defended with just 2 Apps

AntiExe App

AntiScript App


* AE Apps *

Antiexecutable - http://www.faronics.com/html/antiexec.asp

Winsonar - http://digilander.libero.it/zancart/winsonar.html

Trustnoexe - http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm


* AS Apps *


Script Defender - http://www.analogx.com/contents/down...d/Freeware.htm

-

With SD you can block all manner of scripts like VBS. etc etc. Plus you can also add in whatever you else want such as .BAT.COM etc etc

Whenever an included extension trys to launch it will instantly intervene and block it, and ask you if you want it to run or not.

I've been using it for years, and it works every time. Uses NO resources except when blocking, and then hardly any, and only until you allow/deny.

When i was on 98SE i relied on Winsonar + Script Defender to help protect me, along with properly securing IE6 + the OS. I can honestly say they NEVER ever let me down. I used to daily seek out and try to run all sorts of bad stuff, including Rootkits + Trojans etc etc. Not even one of these got through EVER. The only times they did was when i purposely disabled the Apps to see what would actually happen. And one other time when i allowed a new to me App install without first scanning etc it.

So based on my personal experiences with those two Apps, i'd say the're a pretty rock solid combination together. I'm seriously thinking about going back to this setup, with just a Firewall too.

-

ssj100

If you go to the SD www you can download a test .VBS script to run. It already comes included with the SD App.

HIPS
What I like about HIPS , is that I can alert me if a program trusted by me is installing a driver file.
If I didn't expect a driver file , *.sys file , then that's a possible malware.

AE
AE's do not block malicious scripts , but then they aren't meant to.
If you look at attack vectors , & malware in the wild ..
1)
USB attack vector -> I never heard of it.
Expect its not used much these days.
2)
Browser attack vector -> Yes.
2.1)
However browser's are designed to run scripts and not to access a local system. Its only when a browser is exploited that scripting is a problem in terms of accessing a local system.
2.2)
Malware in the wild tends to have exe's associated with them even if the attack is partially script based.

The main reason I like AE is the "feeling secure" , bring security back to risk and emotions.I can understand it 100%.
Its a whitelist of the exe and dll's on my system.

When I read about this exploit and that proof of concept... I find that it needed a exe on my system at some point, and then its no longer an issue.

211502

I've had Script Sentry running in the background since mmm crikey 2003 or something ... it has never flagged me once in all that time to say something is wrong. Just flags when I click on a reg key to warn me. Interestingly OA hips doesn't flag for when a reg file is added.

AppGuard is much along the same lines as Faronics anti exe? I was watching the review for it from remove-malware.com on youtube. Seems quite an interesting app.

-{ Quote: "

Please keep in mind that I am looking at a user who has a good level of understanding of classical HIPS (so there's not much point in using a 92 year old grandma and say she might prefer anti-executable, because she won't understand the HIPS alerts haha).

As far as I can tell, anti-executables will block all these 3 ways (by default-deny), and block them with incredible simplicity.
" }-

Sure, but it isn't just 92 year old grandmas who prefer simplicity ;)

IMO, it is easy enough to "tune" a HIPS to behave with the simplicity of a AE, or set it up to alert on absolutely anything and everything it's capable of detecting, if this latter "paranoid" approach is desired. So, if cost is similar to an AE and the user has the ability to figure out the HIPS, I'd say the HIPS is the best approach, since it affords some additional options the AE might not contain.

There is also the option of using the app called "Process Guard"

-{ Quote: "Hey mate, AE will also easily block any unknown drivers, since it blocks .sys files right?" }-

I'm not 100% sure on that.
Senario is :
AE is turned off.
I trust the application I'm installing.
But it might have been corrupted by malware, bad download site or my mistake to trust it !.
So Its a unexpected driver in a program that I'm installing.

Can be tested in sandboxie , which is what I use.

-{ Quote: "Well, the main issue I had with a classical HIPS is having to continually update and configure your rules whenever you update an application. I generally like keeping all my applications updated.

" }-

But most HIPS have a "Learning mode" or "Install mode" to make this update process very easy, especially if the user mitigates the alert activity by fine-tuning it to alert only on new executables attempting to launch.

-{ Quote: "Hey Keyboard_Commando, sounds like Script Sentry adds .reg files to block by default. Script Defender doesn't have that.

And yes, I think from memory, I've noticed Defense+ doesn't alert when .reg files are executed." }-
I think you can configure Script Defender to block any files you want.

-{ Quote: "Hey Keyboard_Commando, sounds like Script Sentry adds .reg files to block by default. Script Defender doesn't have that.

And yes, I think from memory, I've noticed Defense+ doesn't alert when .reg files are executed." }-

Yeah it gives a double warning also, which is quite handy if you accidently execute a reg file. There is a customizing function where you can add further extensions for it to monitor but I haven't really looked into this - it's really one of those apps you forget you even have running.

-{ Quote: "I've had Script Sentry running in the background since mmm crikey 2003 or something ... i" }-Please search the forums for discussions of Script blockers such as Script Sentry and Script Defender for inherent weaknesses against certain types of exploits.

Regarding these script exploits, it might be well to consider how they work. We are not talking here about browser scripts, rather, script files such as .vbs.

First, they have to get onto your hard drive somehow. The initial question that should come to mind is, How would a malicious .vbs or other script file get downloaded onto my hard drive in the first place, and why would I click to execute it?

1) There is the classic example of the Love.vbs worm which arrived as an email attachment.

Ask yourself: Are my policies and procedures regarding email and attachments secure and robust so that I would not execute such a file in the first place?

2) Remote Code Execution: Autorun.inf file on a USB drive

Ask yourself: Are my policies and procedures regarding USB secure and robust so that such a file could not execute? Specifically,


do I avoid the use of U3 smartdrives (flash drive)?


do I avoid letting someone else's USB drive connect to my computer?

3) Remote Code Execution: Macros in MSOffice Documents

Ask yourself: Is macro protection enabled in MS Office applications? Under what circumstances would I open someone else's Office document?

You may think of other scenarios that could trigger a script exploit. But if you cover these bases with secure policies and procedures, it may turn out that you don't need any added security product for protection.

----
rich

Whats the problem with U3 smart drives? And isnt disabling autorun.inf enough to deal with usb related threats? Thanks.

-{ Quote: "I've noticed a rather serious issue with SD - when you uninstall it, all the file extensions that you configured it to ask/block on execution no longer know how to execute themselves!

For example, try adding .exe to the file extension protection. Now, uninstall Script Defender. Now, try executing any .exe file - it will now ask you what program you want it to execute with!" }-

Wow, SD is so powerful it provides protection even AFTER its been uninstalled!:o ;D

-{ Quote: "Please search the forums for discussions of Script blockers such as Script Sentry and Script Defender for inherent weaknesses against certain types of exploits.

" }-

Its funny you should say that, cos I have been looking at a post you contributed to back in 2008 on here and seems like Script Sentry failed. I will go have another look through.

You can configure your HIPS to act like a no pop-ups default-deny. And as arran pointed out, I like the HIPS finetuning controls of the behaviours of your trusted applications.

Here is the analogy of Anti-executable versus HIPS:
Just like you can configure your browser to block all javascripts globally or on per-site basis like what NOScript gives, this set-up is akin or parallels what Anti-executable does, but I prefer the finetuning controls of a local proxy/webfilter like Proxomitron, as I can allow friendly javascripts, and disallow evil and nasty as well as those nosey javascripts and the latter is like HIPS in the finer controls that it provides.

-{ Quote: "I've noticed a rather serious issue with SD - when you uninstall it, all the file extensions that you configured it to ask/block on execution no longer know how to execute themselves!" }-Did you Remove Incercepts before uninstalling?

-{ Quote: "Whats the problem with U3 smart drives? And isnt disabling autorun.inf enough to deal with usb related threats? Thanks." }-Only U3-type flash drives will execute an Autorun.inf file. If you don't use such a drive, even if infected from another's computer, the autorun.inf file will not execute and you will see it plus some malware when you view the contents of the drive.

-{ Quote: "I've tried searching, but I can't find any posts on how Script Defender has inherent weaknesses. Could you link me up, or perhaps tell me about these? Thanks. " }-These script blockers work by modifying the Shell/Open/Command value of the file type in the Registry, to point to the blocking program instead of the script engine. This means that the blocking program controls the Windows File Association for that file type, so that when you d-click on the file, the blocking program intercepts the call.

This is fine for victims who click on malicious files, but will not prevent the command prompt or the script engine being called directly in an autorun.inf file from executing the malicious script file. Hence, the uselessness of such programs to protect against the trickiest types of script exploits - those by remote code execution. Anyway, if you've got firm polices for USB, even this is a No-Threat and you don't need a separate program.

I've got screen shots in past threads discussing these programs.

-{ Quote: "Also, wouldn't an anti-executable block all USB threats?" }-Not if the autorun.inf file launches a script file type rather than a binary file type.

EDIT: it would depend on what the particular anti-executable program covers. Faronics AE does not cover scripts except .bat in version 3.


----
rich

I found the discussion.

http://www.wilderssecurity.com/showthread.php?t=203483&highlight=script+sentry

* Script Defender *

Whatever you include when you CHOOSE to click Install Intercepts whilst you have SD installed, must be returned to their original state if you uninstall it. It's simply done by launching SD and just clicking on Remove Intercepts

211503

This is something that obviously has been overlooked by some of the responses so far.

-

You can also make your OS much more secure by locking it down further, as i have been ding since 98SE days. There is an extra Zone that can be enabled in IE Options, but it's not for the browser, as the other Zones are. It's identical to the Internet one, but for your computer, actually called My Computer

You can disable and/or set to prompt all sorts of potentially vunerable vectors such as - ActiveX, Scripting, Java, Iframes etc etc just like you can for IE. This works even if you don't use IE. It doesn't take long to do, and all for free too ! Here's how

211504

How to Enable the My Computer Security Zone in Internet Options - http://support.microsoft.com/kb/315933

211505

-{ Quote: "So what you're saying is that even with an anti-executable and a script blocker, one can still get attacked via an external device connecting to your system and launch a scripting attack via autorun.inf? " }-Yes. Hopfully, knowledgeable people would not permit that to happen, and would help others set up secure policies and procedures regarding USB.

-{ Quote: " what if I disabled Windows Script Host? Would that prevent all scripting attacks (outside of the browser)?" }-It has prevented all of the exploits and tests I've run with it disabled.

----
rich

Further to what Rmus said about wscript.exe

Here's how i've disabled it, but you have to quick in renaming both.

211506

Another way to control the script engine is to use Registry Files to toggle Enable-Disable:

Disable:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000

Enable:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000001


----
rich

Hey Rich,

Do you think it would be a good idea to block the actions of scrobj.dll?

Thanks,
Toby

Sorry, I don't know what that is.

----
rich

-{ Quote: "
Only U3-type flash drives will execute an Autorun.inf file. If you don't use such a drive, even if infected from another's computer, the autorun.inf file will not execute and you will see it plus some malware when you view the contents of the drive." }-

So conversely I could just disable autorun.inf and I will not have to worry about U3 smart drives or anything else?

Is it possible for malware to hide itself on the USB drive so that I cant see it, even if autorun.inf is disabled? What if the malware had infected one of the non-malware files on the drive? And I then run the "clean" file. I assume that I will get infected right?

So which are the scripts that should be disabled? Will there be any loss of functionality in disabling scripts?

-{ Quote: "Indeed. However, if there is no security vulnerability when using an anti-executable (let's forget about scripting attacks for now), then why not go for this more simplified option? I am also thinking of the future, when there will be novice/average users using my system. An anti-executable just makes things so much easier for these types of users (default-deny with no questions asked).

Yes, I am well aware of configuring the HIPS to have zero pop-ups. There's a good post on how to do that with Defense+ on the Comodo forums.

However, as I said, updating applications becomes a bit of a hassle right? Unless you enjoy re-configuring your HIPS every time you update an application? Or you enjoy putting it into learning mode, running the updated program in learning mode (and thus put yourself at risk of being attacked), and then remember to get out of learning mode before it's too late? To be honest, I actually enjoyed this haha. But I'm not sure if you do, and I certainly don't enjoy it as much as I used to." }-
Ah ok. I don't have those problem, as I share or believe in noone_particular's particular philosophy.

It ultimately boils down to user's preferences, situations and needs. Using HIPS entails a lot of user's patience and time, and willingness to learn. A better alternative like this antiexecutable or LUA-SRP will better suits them. Update us, how this go along. I might try this in the future.

-{ Quote: "So conversely I could just disable autorun.inf and I will not have to worry about U3 smart drives or anything else? " }-That would seem to be the case.

-{ Quote: "Is it possible for malware to hide itself on the USB drive so that I cant see it, even if autorun.inf is disabled? " }-If your Windows configurations are set to display hidden files/folders, then no.

-{ Quote: "What if the malware had infected one of the non-malware files on the drive? And I then run the "clean" file. I assume that I will get infected right?" }-Sounds logical.

----
rich

-{ Quote: "It's not that you don't have a "problem". All classical HIPS users have that "problem", but they don't mind it, and don't mind spending more time re-configuring their applications whenever they update etc." }-
I mean, Noone_particular and I are totally free from the vicious 'update' cycle of softwares including the operating system. We no longer need those patches or updates that further add complexities which add another holes to be patched.

Nice to hear, it goes along very well. As you have said it, if there are simpler ways of doing it in achieving the same ends, why not choose the simpler one.

-{ Quote: "Hey mate, I'm not really talking about security updates. I'm more talking about standard updates like upgrading from Firefox 1 to Firefox 3.5. I think most people would agree that Firefox 3.5 is better than Firefox 1 right? So most people would want to use a later Firefox version, especially if it had some good new functions to use?

Anyway, if you don't mind not upgrading your applications to get more usability and functions, then classical HIPS will suit you just fine.

" }-
I think at this point in time, much of the softwares have fully matured already. Much of the updates are really patching some bugs and vulnerabilities, adding some eye flavor etc not much on added functionality. I don't need some cloud computing, etc. You have heard of oldversion firewalls that withstood the test of time, adding HIPs further add more protections. I also have buffer overflow protections in place.
Btw, I rarely use firefox as I find it sluggish. I often use the oldversion browser with lots of multiple vulnerabilities published but still I find it more stable, those vulnerabilities didn't scare me from using it.

What more features do I really need, a browser is just a browser to me. What do I do to the computer is mostly browsing, multi-media and using some office applications. Most of what functionalities that are added most of the time I don't use or will never use. If I deem fit to upgrade, I do so with not much hassle. Few notable exceptions include Sandboxie from which for every release is much more stable, hardened, faster in an ever small size form. For now, the added features in most applications are all eye candy to me and most are really just bug fixes or pure bloat. The 'simpler it is the more stable and faster' is my credo. With that I might try your set-up with those added tweaks you suggested one of these days.

well........
1.Hips tell you when a trusted programme is changed i doubt AE does that
2.Hips today offers verification of files through options like OASIS/Defense net/OP improvenet i doubt AE can do likewise
3.Hips have install mode/learning mode i doubt AE has them
4.AE has effective allow/deny function so what ever executes you are aware and in control but so does Hips but it offers the option of allowing once/blocking once/making rules that offers much tighter control than a white-black list of AE
5.Hips use sha-256/md5 verifications from server side i don't know AE can do that....

the more the merrier sadly isn't true for securing a pc.Wilders these days is awashed with paens of sbie/hips/bb/cloudies and what not this layered bussiness has really got stuck that many now have 2-3 bb/as etc.Just having a good av ex-avira,a pure simple firewall like keiro 2.15 and if desired something like TF/mamutu is more than enough so much for AE/Hips

-{ Quote: "
This will automatically block out what anti-executable doesn't - malware run by Windows scripts, and malware run by Windows command prompt. You will always get an alert each time the malware tries to run, so there's no danger of you being unaware that you just got attacked.

I'm just wondering my Rmus didn't recommend this from the start haha." }-

My guess is he didn't recommend it because for some people it would be a counterproductive setup. Some people use the command prompt for useful things. I do. I would certainly not want to disable it.

But for someone who doesn't need scripts or cmd.exe for anything, sure, you could block them. If your anti-executable (that word annoys me for some reason - perhaps because it sounds like it considers executables to be something bad, which is quite an "interesting" view on things) allows for a decent level of configuration, you could simply block it all, for example wscript.exe and cscript.exe for Windows Scripting Host, and shscrap.dll for those boring shell scrap files. That way, your anti-executable could be used to very effectively block a whole lot of scripts. That is, if you don't want to use the other methods to do this.

-{ Quote: "So yes, anti-executable (for system-wide protection) combined with Sandboxie (for internet facing applications), combined with a software Firewall will give you 100% protection I think (barring user error). I say this because I want someone to challenge this setup and say that it's not 100% - please feel free to do so, as I am still learning haha.

Finally, I think usability and convenience is sacrificed to a minimum here (not bad, considering 100% security right? haha), and certainly less than if I used a classical HIPS in place of AE 2.3." }-

There is no 100 % security in any scenario where users actually have to do diverse and complex tasks with a general purpose computer system (such as occasionally copy new programs on the system and then execute them - for example, a Firefox update). There simply isn't. 100 % security would require a perfectly flawless system, and so far no complex thing made by humans was flawless. What exists is "good enough" and "close enough." So there's really no point in all the "Is this 100 %?" questions that we so often see. The answer is always "No, it's not 100 %, but for your needs, it may well be close enough or even too much." That's pretty much all there is to it. That may sound like one of them "philosophical" arguments, but I assure you it's not. Software has flaws, vulnerabilities get exploited, bad things happen. If one falls into believing they're somehow 100 % safe, that only makes it easier for people who want bad things to happen to make them happen - a false sense of security. Still, even in such a case it might still be very hard to make those bad things happen, which is of course the goal - "good enough" security that does not damage usability too much.

As for HIPS vs AE? In my personal view, sometimes simpler is better. If I had to choose between those two and had no other choice, then I'd go with AE. Lighter, less stability problems, and less questions. On the other hand, if you regularly execute applications that you really don't trust and consider suspicious and believe you need to constantly watch what they do, then HIPS would certainly be for you. Me, though, I'd sooner just avoid executing stuff that I don't trust.

-{ Quote: "My guess is he didn't recommend it because for some people it would be a counterproductive setup. Some people use the command prompt for useful things. I do. I would certainly not want to disable it.

But for someone who doesn't need scripts or cmd.exe for anything, sure, you could block them. If your anti-executable (that word annoys me for some reason - perhaps because it sounds like it considers executables to be something bad, which is quite an "interesting" view on things) allows for a decent level of configuration, you could simply block it all, for example wscript.exe and cscript.exe for Windows Scripting Host, and shscrap.dll for those boring shell scrap files. That way, your anti-executable could be used to very effectively block a whole lot of scripts. That is, if you don't want to use the other methods to do this.



There is no 100 % security in any scenario where users actually have to do diverse and complex tasks with a general purpose computer system (such as occasionally copy new programs on the system and then execute them - for example, a Firefox update). There simply isn't. 100 % security would require a perfectly flawless system, and so far no complex thing made by humans was flawless. What exists is "good enough" and "close enough." So there's really no point in all the "Is this 100 %?" questions that we so often see. The answer is always "No, it's not 100 %, but for your needs, it may well be close enough or even too much." That's pretty much all there is to it. That may sound like one of them "philosophical" arguments, but I assure you it's not. Software has flaws, vulnerabilities get exploited, bad things happen. If one falls into believing they're somehow 100 % safe, that only makes it easier for people who want bad things to happen to make them happen - a false sense of security. Still, even in such a case it might still be very hard to make those bad things happen, which is of course the goal - "good enough" security that does not damage usability too much.

As for HIPS vs AE? In my personal view, sometimes simpler is better. If I had to choose between those two and had no other choice, then I'd go with AE. Lighter, less stability problems, and less questions. On the other hand, if you regularly execute applications that you really don't trust and consider suspicious and believe you need to constantly watch what they do, then HIPS would certainly be for you. Me, though, I'd sooner just avoid executing stuff that I don't trust." }-

Thanks for posting this reply,seriously.

SSJ has a mission of achieving 100% security and it is quite laughable in an attempt to achieve something thats not attainable in computer security:argh:

-{ Quote: "Thanks for posting this reply,seriously.
" }-

You're welcome. I'm just pointing out the obvious, which is pretty much all I ever do. I should change my forum name to Captain Obvious, but I figured that would be taken and the rank would be wrong, too, so... ;D

-{ Quote: "
What I was saying is that I am trying to achieve means of getting to that 100% in theory. " }-

I'd still say no. 100 % in theory? That depends on whether it's a poor theory or a good one. A poor theory would assume some kind of perfect world, where no vulnerabilities exist, in which case 100 % would be possible. On the other hand, if the theory assumes a perfect world, then no security measures are needed at all, because no-one will be bad. But then, this is poor theory. A good one would assume that vulnerabilities happen because humans have been observed to be imperfect, and then 100 % would be impossible in theory as well as practice. So, that's basically where it goes... In theory 100 % is impossible because in theory humans are not perfect, so some vulnerabilities happen. In practice, 100 % is impossible as well as ridiculous because humans are not only imperfect but just blatantly incompetent and sloppy quite often, so loads of vulnerabilities happen instead of just "some".

Or in other words, the options are: 1) 100 % is impossible in theory and in practice, when the theory is based on scientific empirical observations. 2) 100 % is impossible in practice but possible in theory, when the theory is based on vivid imagination and ideas instead of reality - in other words, when the theory is stupid.

-{ Quote: "And yes, the reason why I created this thread was to experiment and gather information to see if a classical HIPS could be replaced by an anti-executable, and still retain the same level of security. Some people seem to have taken a form of mockery to my diligence and learning, and even called it "laughable". " }-

I think looking for a lighter, cheaper and less bothersome but still reasonably secure setup is always a good goal. :thumb: I myself highly appreciate light setups that may not provide vast levels of control on which Windows DLLs my trusted programs can load at any given time, but consume little CPU time or memory and waste little time grinding my HDDs and cost nothing and introduce no new and potentially vulnerable code into the system which I intend to use for productive purposes instead of messing around with random software. It's not for everyone, but neither are HIPS products or mountain climbing. Whatever works for you, as they say. I think searching for and experimenting with setups that don't involve HIPS is a perfectly decent thing to do. It may lead you to a setup that is better for you, and increases productivity and enjoyment.

One can argue levels of security endlessly, but we should ask ourselves, does it really matter whether security setup X offers exactly the same level of security as setup Y or if it's worse or better, if both offer a reasonable level of security that is enough for our needs? The most important thing to anyone should be that the level of security is reasonable to them, not whether something else offers eeeeven better, but at a larger cost. :) But Windows security discussions have an unfortunate habit of gravitating towards paranoia and extremes and it's easy to get caught up in that. Something like: "Oh no, my HIPS fails this Zubutu-zabutu leaktest that first has to get on my system, then get executed with admin privileges, and only then can it root my system. Oh no, oh no, I need to switch to another HIPS that doesn't fail this Zubutu-zabutu leaktest. And when it fails the next test called Xibutu-xobutu, I have to change again. Is there no security??!!11!?" That kind of thinking is what is laughable, if one wants to use that word. Security is not 100 % impenetrable security software, it is an ongoing process with a critically important human element. Sure, one is entitled to having hobbies, and it's an entirely valid hobby to switch security software every month in search of the one that fails the least in all kinds of leaktests - but no-one should call this a some kind of requisite of "security", it's just "playing around" instead. If someone mocks others for not using a HIPS, consider carefully whether that's the kind of person you should be taking any advice from. On the other hand, if someone calls a quest for 100 % security laughable, they may not be extremely polite, but they are still 100 % correct... ;)

-{ Quote: " nothing in life is 100% full stop" }-
ummm..i see a new thread tittle there;)
-{ Quote: "security against real malware...This user error is difficult to prevent" }-
well so user discretion is paramount right then hips provide a better information about the unknowns and i doubt anyone would intentionally install a known malware;D
-{ Quote: "" }-

-{ Quote: "
By the way, I'm actually quite surprised no one has mentioned SRP yet." }-

I'm not surprised at all. After a few people have preached to deaf ears in a couple of threads about LUA+SRP they have probably wearied a bit.

Although I must say, as I read your first posting the thought did occur to me that with LUA+SRP you wouldn't need any of this crap ;D

-{ Quote: "Yes haha. I always found SRP difficult to configure though." }-

Configure? I don't have it configured, but I do run it. ;D

-{ Quote: "That would seem to be the case.

If your Windows configurations are set to display hidden files/folders, then no.

Sounds logical.

----
rich" }-

Hi Rmus thanks for responding. How exactly do I set windows to display hidden files/folders? And in the latter case how would I know if the malware had/had not infected the clean file?

-{ Quote: "Yes haha. I always found SRP difficult to configure though." }-

There isn't really much to configure unless you have a lot of apps installed in weird places. Take a look at this (http://www.mechbgon.com/srp/).

Can OA premium be configured to block ALL unknown executable binaries by default?

-{ Quote: "Okay, there you go again haha. Stop taking me so literally mate. Perhaps "theory" was the wrong word to use. Let's say I meant "conceptually" 100%. I'm surprised you don't know what I meant actually, since I blatantly illustrated and defined again my thought process by trying to block all malware vectors. I try to use a conceptual approach, knowing that in practise, nothing is 100%.
" }-

Sorry. I have a nasty habit of taking things quite literally, and I'm annoyed by phrases like 100 % security. ;D I think I understood what you meant - trying to block all malware vectors - and I'm just saying that doing that with 100 % reliability in all scenarios, even without user error involved, is not possible, due to the issue of vulnerabilities for example. All we can do is get "close enough." Even if everyone who has posted in this thread is fully aware that 100 % security is impossible, it's worth sometimes stating the obvious, because there may well be people reading this thread at one point that believe security can be 100 %, since marketing from various companies constantly tells them something that sounds a lot like that. So, my point is simply this: Would a sandbox/firewall/anti-executable/scripting disabled type of setup be strong? Sure. Would it be 100 %? No. And I'm not saying that because I think some Wilders member doesn't know that, I'm saying it because I think it's worth saying. :)

-{ Quote: "
Also I'm not sure why you are talking about perfect worlds, human error, and scientific empirical observations. All I'm trying to talk about is replacing a classical HIPS with an anti-executable, while still maintaining the same level of security. In theory, this is possible." }-

The perfect world part was simple in response to the idea that 100 % security is possible in theory. As far as replacing HIPS with AE, I would not say it's necessarily maintaining the same level of security. That is why I said it's not important to consider whether X gives the same security level as Y, as long as both give a reasonable level of security that is enough for you. Personally, I would say that HIPS and AE both provide more than enough. Unfortunately, this is complicated stuff and the answers depend on the scenarios we're dealing with.

Would AE provide the same level of security as some HIPS in a scenario where the user accidentally doubleclicks on a malware attachment in an email or a browser exploit tries to run some trojan .exe file it dropped in the browser cache folder? Kind of - both should prevent the malware from running immediately and infecting the system. Would AE provide the same level of security as some HIPS in a scenario where the user intentionally allows a file to be executed with admin privileges, without knowing the file is a malicious rootkit dropper that tries to load a driver to do its evil thing? No - the HIPS might be able to prevent the driver from being installed and could warn the user, and the system could perhaps avoid getting completely owned, whereas the AE would not do anything at all after the file was allowed to execute and would simply sit by as the system got owned. So, there are differences in the levels of security, depending on what kind of security you mean and want. If the only requirement is that random executables be blocked from running, then both AE and HIPS can do the job pretty effectively - and for many people this is all they want.

As I said before, I find simpler to be often better. I would rather choose AE than HIPS. LUA and SRP is the kind of "paranoid" combo that I like, which offers a high level of protection even though it has its flaws like anything and is not invulnerable in any way. It is, however, far more than "good enough" to avoid any dangerous malware currently known to be out there if the user isn't a complete disaster.

Basically, threads like this can be either long or short depending on how deep you want to go. Short answer is that AE provides a good enough level of security, especially when one remembers to consider the possibility of scripts being used to execute code without "permission" from the AE. Long answer is that in some scenarios AE beats HIPS and in some it loses to HIPS, and then follows the boring account of various scenarios with various what-ifs.

I think when you talk about attack vectors exe's vs scripts isn't as important as understanding where you might be vulernable. For example:

Online. Here I might be concerned about something downloading and running I don't know about, hence Sandboxie and a HIPS for me.

Email. Threat is what may be in an attachment I have to open(emails from clients). Here again, I use both Sandboxie and HIPS.

CD and USB autoruns. I've disabled them. Also if there is any doubt, I can sandbox them/use Shadowdefender to protect the system.

Programs I trust from trusted sources, I don't worry about.

Programs I am not sure about. Either I don't bother, or I put my system in Shadowmode, and test them in a VM machine. If all seems okay, I may still test on the host in shadowmode. If I can't do that, I don't run them.

Pete

-{ Quote: "There isn't really much to configure unless you have a lot of apps installed in weird places. Take a look at this (http://www.mechbgon.com/srp/)." }-

A good point to make would be that you run it conjunction with LUA and SuRun - this way it gets easier to manage AND more secure.

-{ Quote: "A good point to make would be that you run it conjunction with LUA and SuRun - this way it gets easier to manage AND more secure." }-

Good point. I assumed (which one shouldn't do) that LUA is also being used, as I don't see much point in SRP without it, that would be a half-baked solution.

SuRun has really made things easy for us LUA users. Some of the other attempts at a similar app that I've tried were either buggy, didn't do what it said on the tin or were just tedious to use.

-{ Quote: "Hi Rmus thanks for responding. How exactly do I set windows to display hidden files/folders? " }-Tools|Folder Options|View

This is Win2K but it is the same with WinXP:

Check: Show Hidden files and folders
Uncheck: Hide file extensions
211518

Here is one of my external Hard Drives where I've set several files/folders with the Hidden Attribute, and Windows configured not to show hidden files/folders. An alert user might notice "plus 6 hidden" indicated in the Status Bar:

211516

Configuring to show hidden files and folders, we see the presence of an autorun.inf file and an executable file. They are shown in light gray indicating they have the Hidden attribute set:

211517

This was the trick that the Conficker worm used, and has been noticed with other USB infector exploits. If your drive became infected while you were copying files from another computer, you wouldn't know if your computer didn't show hidden files/folders.

-{ Quote: "And in the latter case how would I know if the malware had/had not infected the clean file?" }-I suppose you wouldn't know unless you scanned each file. And then, you would have to trust the scanner(s).

----
rich

-{ Quote: "I'm just wondering my Rmus didn't recommend this from the start haha. Good thing I figured it out." }-This refers to disabling the script engines and the command prompt.

In my post #48 above, I did give Registry files for toggling the Enable/Disable of the script engines. The same can be done for the command prompt if so desired. Completely disabling/crippling these Windows functions is rather drastic, in my view, and should be carefully considered before doing so. That is why I wouldn't make such a blanket recommendation.

There are many approaches to the security problems discussed here. Before applying every "fix" that people come up with, one should evaluate the potential vulnerabilities and then decide what is appropriate for you!

Everyone should read/re-read Peter2150's post #78 above for a good approach to this.

----
rich

-{ Quote: "Good point. I assumed (which one shouldn't do) that LUA is also being used, as I don't see much point in SRP without it, that would be a half-baked solution.

SuRun has really made things easy for us LUA users. Some of the other attempts at a similar app that I've tried were either buggy, didn't do what it said on the tin or were just tedious to use." }-

Yep, easier, and runs things in a secure environment, freezing what's outside that environment - like UAC. (Things still work outside, but changes are seen once you're in the usual environment again - music, installations, etc. don't stop. :))

Hi SSJ

Reason I like the HIPS with Sandboxie, is twofold. While I indeed put a lot of faith in Sandboxie, there is still always the chance.... as Tzuk himself says.

Secondly, even though sandboxie contains it, I don't know about it, and for many reasons, it's nice to know if something strange is going on. The HIPS will alert me.


As to the email, you are right. All my personal email is browser based, but my clients email comes into to Outlook, so I run it sandboxed.

Pete

-{ Quote: "Tools|Folder Options|View

This is Win2K but it is the same with WinXP:

Check: Show Hidden files and folders
Uncheck: Hide file extensions
211518

Here is one of my external Hard Drives where I've set several files/folders with the Hidden Attribute, and Windows configured not to show hidden files/folders. An alert user might notice "plus 6 hidden" indicated in the Status Bar:

211516

Configuring to show hidden files and folders, we see the presence of an autorun.inf file and an executable file. They are shown in light gray indicating they have the Hidden attribute set:

211517

This was the trick that the Conficker worm used, and has been noticed with other USB infector exploits. If your drive became infected while you were copying files from another computer, you wouldn't know if your computer didn't show hidden files/folders.

I suppose you wouldn't know unless you scanned each file. And then, you would have to trust the scanner(s).

----
rich" }-
Alright thanks for this Rmus.

-{ Quote: " The only malware vector of attack I'm missing is network protection/LAN (which by the way, you didn't mention in your very good post), but since I'm probably never going to hook my computer up to anyone's computer etc, this is totally irrelevant for me." }-

If your internet is through a cable company,your already on a network,along with other customers.

-{ Quote: "Hi SSJ

Reason I like the HIPS with Sandboxie, is twofold. While I indeed put a lot of faith in Sandboxie, there is still always the chance.... as Tzuk himself says.

Secondly, even though sandboxie contains it, I don't know about it, and for many reasons, it's nice to know if something strange is going on. The HIPS will alert me.

Pete" }-

So I think. Sometimes I use in addition also Returnil, so I surf in the WEB a session virtualized, sandboxed, and anyway protected by the HIPS.

-{ Quote: "Thanks for posting this reply,seriously.

SSJ has a mission of achieving 100% security and it is quite laughable in an attempt to achieve something thats not attainable in computer security:argh:" }-


I agree that you can't get 100% But at the same time what are the chances of malware Busting thru Malware defender and Deep Freeze or Busting thru a Sandboxie and Malware Defender Combo?? Is there such malware in Existence?? If you Deny the Malware from Running in the first place is it even Possible??


I would say from most of our setups here we would be 99.999 percent secure.
LOL there is more chance of me winning lotto than getting infected.

there is very little difference between 100 percent and 99.999 percent, so I personally don't have a problem with people saying 100 percent.

-{ Quote: " The only malware vector of attack I'm missing is network protection/LAN (which by the way, you didn't mention in your very good post), but since I'm probably never going to hook my computer up to anyone's computer etc, this is totally irrelevant for me." }-

You are right. I am on Comcast Cable, but I come in thru a router. I have four computers on my own network, and each of them has Online Armor's firewall on them. Additionally they are all tied together with Cisco's Network Magic, which knows which 4 machines are allowed and it does warn of an intruder.

Pete

-{ Quote: "Good point. I assumed (which one shouldn't do) that LUA is also being used, as I don't see much point in SRP without it, that would be a half-baked solution." }-
I am curious, do you consider DropMyRights a fully baked solution for a specific executable when in Admin mode?

Sul.

-{ Quote: "I am curious, do you consider DropMyRights a fully baked solution for a specific executable when in Admin mode?

Sul." }-good idea:thumb:

-{ Quote: "I am curious, do you consider DropMyRights a fully baked solution for a specific executable when in Admin mode?

Sul." }-

I'd guess it uses the same restrictions as say LUA, so at least it would be a great idea. Personally I consider using, or at least setting up LUA, is even easier and then I know that everything is running with/has limited rights, unless I decide otherwise by myself.

-{ Quote: "I'd guess it uses the same restrictions as say LUA, so at least it would be a great idea. Personally I consider using, or at least setting up LUA, is even easier and then I know that everything is running with/has limited rights, unless I decide otherwise by myself." }-
True, having default-deny would then not have to rely on memory to be sure X program is protected. lol, with the way my memory is at times it might be a good thing.

But my point was the comment of using SRP in Admin to be half-baked, is this same thought held about using DMR albeit for a specific application instead of system wide. The reason - DMR and SRP (utilizing Basic User aka restricted) are functionally identical. So I was wondering if DMR could be considered 'acceptable' why the downplay of using SRP in admin which achieves the exact same benefit plus makes it 'run safer' all the time without a special shortcut, without using another executable to do it and can be told to do it based on a wildcard path. It is already built into XP/Vista/7 to look to the registry when creating a process, so it is posing no performance hit because the OS will look there regardless of whether you use it or not. I love that part BTW.

Sul.

-{ Quote: "I am curious, do you consider DropMyRights a fully baked solution for a specific executable when in Admin mode?

Sul." }-

I suppose if you're running as admin it's a good idea. I only log into my admin account to run Windows update or install hardware, so I haven't given much thought to it.

I find LUA to be easier, everything is limited unless you decide to run it as admin. I have no real-time security apps running and never get malware, so at least for me, it does work.

-{ Quote: " Does anyone know of any malware that can infect you by running .jpg or .doc (keeping in mind I have the default protection of Microsoft Word to only run trusted macros), or .mp3 or other non-executable files? Thanks for any help." }-Here is a document file exploit that didn't require a macro to run:

Malicious RTF Document in Targeted Email Exploit
http://www.wilderssecurity.com/showthread.php?t=244726

By using RTF instead of DOC, the exploit will run on whatever application is associated with RTF, including Wordpad.

Pete tested this with Sandbox and the exploit failed. The reason I knew he would be interested in this is because it deals with email attachments. Normally, home users are advised not to open attachments from unknown sources. In Pete's case, he has office workers (who are very knowledgable about security, I'm told) who receive MSWord documents and need to open attachments. Not wanting to lock the computers down completely (as with anti-execution protection), his use of Sandbox in this case fits his needs perfectly, and is a good example of evaluating possible vulnerabilities and coming up with a solution for a particular situation.

The classic example of a media file exploit -- semingly a non-executable file -- is the Windows Metafile (WMF):

http://www.urs2.net/rsj/computing/tests/wmf_zeroday/

While the early exploits were triggered by remote code execution, malicious files began to turn up in other places and a number of image viewers would trigger the exploit when the user d-clicked to open the file.

mp3 and other media files are commonly used in social engineering exploits. Here is one:

Fake MP3 Trojan Detected On 27% Of PCs
-{ Quote: "http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=207600502
When a user tries to play one of the infected media files, he or she is prompted to download a file called PLAY_MP3.exe, Schmugar explained in a blog post. The file does not contain music or video as advertised. Rather, the Trojan program -- Downloader-UA.h " }-The Koobface exploit attempts to trick the user into updating the Flash Player when clicking on a video file.

http://www.wilderssecurity.com/attachment.php?attachmentid=205517

Tricking the user is the method, because just attempting to spoof .exe as .jpg or .mp3 will launch the particular application associated with that filetype, and an error will result:

211542

Some years ago it was documented that a .jpg file can have some executable code prepended to it, which would make the file execute, but this has not been used in exploits, to my knowledge.

----
rich

-{ Quote: " All those exploits you've referred to are all examples of user error. None of the exploits you've mentioned refer to getting infected spontaneously." }-The malicious .wmf file executed spontaneously when opened in a vulnerable image viewer.

http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Vulnerability Details
Graphics Rendering Engine Vulnerability - CVE-2005-4560:
-{ Quote: "An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. " }-W32/WMF!exploit
http://www.fortiguard.com/encyclopedia/virus/w32_wmf!exploit.html
-{ Quote: "Note that even if the file extension is renamed from .WMF to any of the following, the exploit could still execute:

.bmp
.dib
.rle
.jpg
.jpeg
.jpe
.jfif
.gif
.emf
.wmf
.tif
.tiff
.png
.ico" }-NOTE: This vulnerability was patched long ago, but it demonstrates how a seemingly non-executable file can be used to exploit vulnerability in the Operating System.

----
rich

Here is another reference I found in my notes:

WMF Image Handling Exploit
http://antivirus.about.com/od/virusdescriptions/a/wmfexploit.htm
-{ Quote: "The WMF Image Handling Exploit can be rendered in numerous ways, via websites, email, and IM. If an exploited WMF file is on the system, the exploit will render simply by browsing the directory it is in - the file does not have to be opened.

Though the WMF Image Handling Exploit involves .WMF files, a .WMF renamed to a different image extension, i.e. TIF, JPG, ICO, etc., will still be recognized by Windows as a WMF file and the exploit will be rendered." }-
----
rich

-{ Quote: "I suppose if you're running as admin it's a good idea. I only log into my admin account to run Windows update or install hardware, so I haven't given much thought to it.

I find LUA to be easier, everything is limited unless you decide to run it as admin. I have no real-time security apps running and never get malware, so at least for me, it does work." }-
I was just wondering what you would consider half-baked. Certainly using SRP or DMR to lower a processes privelage is not fool-proof, but it is pretty good security (lol). I was just curious.

Sul.

-{ Quote: "Sure, but no spontaneous damage is done - it requires further execution/communication and therefore, this is user error (didn't configure Sandboxie correctly). Since Sandboxie covers all internet facing applications, this exploit would be blocked easily, and no classical HIPS or anti-executable is needed!" }-This was your original question:

-{ Quote: "Does anyone know of any malware that can infect you by running .jpg or .doc (keeping in mind I have the default protection of Microsoft Word to only run trusted macros), or .mp3 or other non-executable files? Thanks for any help." }-You didn't specify protection other than Macro protection, otherwise I wouldn't have bothered giving you any examples.

You should have included,

-{ Quote: "with Sandbox installed" }-and the answer would have been "No."

----
rich

-{ Quote: "I was just wondering what you would consider half-baked. Certainly using SRP or DMR to lower a processes privelage is not fool-proof, but it is pretty good security (lol). I was just curious.

Sul." }-

It's just my opinion that LUA+SRP is going to be more secure than admin+SRP, assuming that one is looking for the more secure solution. Certainly using DRM is a significant improvement to not using it, but with an LUA you obviously don't need it.

I find it simpler (and safer) to have everything limited and only raise the privileges of things that absolutely require it rather than have everything running with admin privileges and lowering the rights of specific processes.

I think its confusing to can say configuring security software incorrectly is a case of user error.

In most discussions here user error is understood to mean that someone ran a piece of software by mistakenly or inadvertenly.

This could be for a few reasons ->
being used to clicking allow on prompts.
not reading prompts
being rushed into clicking a prompt by rogue software.
etc.

Going back to the original question of the OP, which is HIPS vs AE.

I haven't tried yet the AE(may try it in the future for simplicity's sake) but someone posted that the advantage of HIPS over AE, is the verification done by HIPs to prevent changed programs. A theoretical possibility but very remote is if your trusted application suddenly became 'Big Brother' or the developer of your trusted application have sold his soul to the devil, which is in our case is the 'Big Brother'(ha ha), and certainly HIPs(especially HIPS component of a firewall) would warn if something strange is happening if that program becomes too leaky. But this is only privacy risks not quite a security risk. But there is a thin line between security and privacy. Now how about the HIPS' developer selling his soul to the devil, well, that's another reason why I don't want the HIPS from phoning home and from auto-updating. The above is a very remote possibility bordering on the paranoid and the insane. So, you can disregard this possibility and have a good nigh sleep.

OT: I am a believer of check and balances so I wouldn't put my entire trust on one single application, likewise I am quite leery on HIPs with full network functionality and would rely on a small memory footprint firewall with application control capability(HIPs functionality) to guard network defenses. I even have another firewall with application control guarding that firewall. Strangely and contrary to popular beliefs, no wastage of cpu cycles nor big resource wastage nor instabilities noted or incompatibilities. I can even see the other firewall leaking some DNS___ held in check by the other.

PS: As they say, "trust no application". HIPS and application control in some firewalls can even check and control the operating systems components themselves from doing some strange behaviour. That's a definite advantage of HIPS especially if the operating system is a friend of our Big Brother. he he

Can Comodo Defense+ be configured to act as an anti-executable? Does it recognise all binary executables? Thanks.

Excellent thread