Best practices to avoid malware infections on the web without blocking everything

Discussion in 'other software & services' started by AboutBlank, Aug 22, 2014.

Thread Status:
Not open for further replies.
  1. AboutBlank

    AboutBlank Registered Member

    Joined:
    Apr 20, 2013
    Posts:
    15
    Hi,

    I was wondering what are some of the best practices the you guys use in order to minimize the risk for infections through malicious scripts on the web?

    I mostly visit websites that I don't mind their advertisements and/or that make (at least part of) their living off it, so I'm really not after a traditional ad blocking solution such as ABP (which I don't particullary like - as useful as it is - for other reasons), yet I know that even legitimate ads can be compromised, and when taken to an unknown website - through a link for example - one cannot automatically trust it in this day and age. I believe that selectively enabling/disabling JS is a good enough option for most users who are after a non-intrusive solution, but is there a more effective way to achieve such general protection?

    As far as I know, the most obvious solution is a sandbox, but effective as it is, it does have its trade-off when it comes to keeping history, cookies, sessions, etc.

    NoScript also comes to mind because it stops scripts from running, but for some it takes to much effort to tweak and setup (myself included) because of its white-list approach.

    So I was wondering what are your recommendations and advice for blocking malicious scripts in the most non-disruptive way? (I use both Firefox and Chrome, but my question is on a more general level)

    Thank you.
     
  2. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    I like WOT & Disconnect extensions. I don't use ABP either.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Another excellent choice would be Appguard. It will protect you against almost anything a browser could do. I do use Ad Blocking just to clean some of the clutter off of the webpages.
     
  4. guest

    guest Guest

    As Peter2150 said, AppGuard. Alternatively DefenseWall, but only for 32-bit OS. Might as well use LUA + UAC max.
     
  5. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Discretion. After that, you can't really have it both ways. If you want that security/privacy, you're gonna have to use apps like SBIE, and an add-on like NoScript, or a HIPS, and take the time to create whitelists. After putting in the work the first few weeks you'll be happy you did later on.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    In Sandboxie, you can set your sandbox to save, history, cookies, sessions, etc, out of the sandbox. Its very easy to set it up that way and it can be done from the UI. You didn't mention bookmarks but that also can be saved out of the sandbox. You can make your sandbox as loose or restrictive as you like. I personally don't trade convenience for security, you can do that as well.

    About NoScript. In my opinion, its not hard to learn how to use it. I personally don't care much about a whitelist but when you open a webpage its really easy to figure out the scripts that you need to allow in order to perform a function. Let me give you a couple of example, here at Wilders, you only have to add wilderssecurity.com to the white list and is done. Nothing else. If you like to watch videos in Youtube, you allow youtube.com and ytimg.com. Thats it. If you like the search function in YouTube to work and view comments, then you also must allow google.com. Most sites only have two maybe three sites that load scripts. Once you get into it, even sites that load scripts from 10 or 15 sites are not hard to figure out the two or three scripts that you need to allow and block the rest.

    AboutBlank, if a dummy user like me, learned (and continue to learn) how to use Sandboxie and NoScript like learning to drink water, you can as well. I recommend both programs. So you know, thats all I use for security together with the Windows firewall.

    Bo
     
  7. guest

    guest Guest

    The OP said s/he does not want those. Sandboxie might be a valid suggestion but IIRC it needs to be tweaked a little to save history, cookies and browsing session. I am not certain if the OP wants to do that, thus I didn't mention it.
     
  8. guest

    guest Guest

    Plus one more, googlevideo.com. In total there could be four to watch videos if you set it to hide the base 2nd level domain, which is what I do. Usually there are two more extra somethingsomething.googlevideo.com and those two are video specific. Allowing them once in one video link doesn't make you be able to watch another video. But I personally need to set it that way so I can block autoplay videos when manually check my subscriptions under lurking mode. :p

    JFYI plus.googleapis.com or googleapis.com should also be allowed.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    GrafZ, I only allow the two sites that I mentioned for watching videos. In fact, googlevideo.com is not even listed by NoScript when I visit YouTube. Regarding googleapis.com. You don't need to allow that to view comments or to get suggestions when you search for videos while in YouTube. I actually have that site in my blacklist, I untrust that site. And the only website that I visit where I allow scripts from there is Virus total. If I don't do that when I am in VT, I cant upload files. Check it out.

    Bo
     
  10. guest

    guest Guest

    ? ? ?

    Which version of YouTube you have been visiting? The googlevideo.com only seems to be needed when using HTML5. I don't have Flash installed so all videos use HTML5 and I'll have to allow it so the videos can be loaded. So if you're using Flash you might don't need to allow it. But googleapis.com is mandatory for viewing comments, which will show up after allowing google.com or in my case, plus.google.com.

    EDIT: JFYI such behaviours also apply to HTTP Switchboard when I was still using Chrome.
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I use youtube,com. Thats it. By the way, the site that I allow in VT is ajax.googleapis.com not googleapis.com. Bad memory. But both, googleapis.com and ajax.googleapis.com are in my blacklist and I do not allow googleapis.com out of my blacklist for any site that I regularly use. That includes YouTube. Perhaps you need to allow it for posting comments but its not required to view comments. I don't post comments in YT. I dont use HTML5. I use Flash.

    Bo
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    To view comments, you need to allow google.com.

    Bo
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    GZ, I am in my W7. I hardly ever watch videos in W7 and don't read comments often. I don't have Flash installed in my W7. But I just installed it in a sandbox and checked a video in YouTube and to view comments, I needed to allow scripts from plus.googleapis.com. I ll check later my XP. Thats the computer that I use for viewing videos and will see if the behavior on that one is different.

    Bo
     
  15. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    Just followed your link the free version does two things. First is it shields Java. As a experiment after the last Java update I went through the 6-12x a year rigamarole of uninstalling the old Java 1st. In my case JDK 64 then JDK 86. JDK includes JRE. I then decided not to install Java at all. This was about 2 months ago. Haven't needed Java yet, which surprised me. When I root my next Android I might need to reinstall JDK though as it was a requirement for a couple rooting adventures.

    Second this "Shields browsers and browsers add-ons
    (including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera)"
    This is too general an explanation. So for now it's a pass.
     
    Last edited: Aug 23, 2014
  16. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,892
    Location:
    US
    You can run Linux in virtual box. I run Windows XP SP1 in Virtual Box and the entire thing takes 10 seconds to start. I use it for Microsoft Office XP. Granted it would be painful for a browser but then again you can switch altogether to Linux. I browse the web worry free and much more free without NoScript/HIPS/AVs...etc
     
  17. allizomeniz

    allizomeniz Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    943
    NoScript's great if you have a lot of experience with such things, but for a novice it can be daunting.

    It's one of the best tools I know for blocking unwanted content. Set up correctly, the web will still work great and without all the extraneous nonsense.
     
  18. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    sandboxing may protect the OS from browser intrusions but it doesn't protect the browser, so its only half of the problem dealt with.

    In my mind blocking javascript by default is the way to go, the vast majority of sites still function for reading purposes without javascript, forums usually also still work but with only partial functionality, but often partial is enough. e.g. I have not whitelisted this site yet I am using it, making posts etc.
    In IE disable active scripting, auto fonts downloading and perhaps other things considered risky in the internet zone. Enable protected mode for the trusted zone and set the trusted zone to med-high (same as default internet), then add domains that need javascript to the trusted zone, using the dev tools via f12 can show the domains that need it on a page and add about:internet to the trusted zone as well to allow IE error pages to work properly. Also all plugins like flash and java remove the default * allow so domains need whitelisting for those also. Doing that means you can keep java/flash allowed on the internet zone as it still needs manual approval via the plugin prompt.
    In firefox noscript to block javascript by default, if you combine that with either ghostery or requestpolicy then you will block the vast majority of ads, I find ABP bloated and slow now days. Ghostery is automated tho so you will probably prefer that to requestpolicy. Also use the clicktoplay stuff so you have to manually approve flash/java etc although in firefox the clicktoplay is a bit buggy doesn't work as well as approving in IE.

    and as others told me in another thread use sandboxie with firefox.

    The problem with noscript is it can be a game of whack a mole sometimes, some pages are so loaded with trackers, subdomains etc. you may click the noscript icon and see 20 odd domains listed, with none the obvious ones needed to get a site to work properly. But other times its obvious and its easy also to just temporarily allow a page as a one off. Another issue with noscript is occasionally even if I globally allow everything, some sites have not worked, I don't know if this is due to a bug or the extra protections like clickjacking.

    Sadly there is no alternative to noscript on firefox, ghostery is not an alternative, that blocks trackers, it doesn't block javascript.

    I know I basically failed your request, but blacklisting wont cut it for 0 day stuff, as blacklists are always behind, whitelisting is more secure.
     
    Last edited: Aug 23, 2014
  19. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    830
    Location:
    Ireland
    If you are logged in, to view comments on YouTube you need to allow google.com. If you are not logged in, to view comments on YouTube you need to allow google.com and plus.googleapis.com.
     
  20. AboutBlank

    AboutBlank Registered Member

    Joined:
    Apr 20, 2013
    Posts:
    15
    Thank you guys for all your comments.

    To be perfectly honest, I myself am not a complete novice user (though not an expert either) and can deal with Sandboxing (SBIE, which is indeed quite intuitive when you understand the concept) and NoScript - although I don't like it very much. I know, the web is broken and that's not NoScript fault, but still, it does take quite a bit of trial and error, and I don't always have the time and energy (i.e. motivation) to experiment when I need something to just work.

    I was asking from a novice prospective because, as I'm sure you are all familiar with, people come to me for advice and help, and I haven't kept up with web security as I would have liked.
    Even for my own experience often times I would accept some security compromise (I would be happy with blocking common threats and mitigating common vulnerabilities) for a relatively seamless, yet more secured, experience.

    So, I hoped for some advice and best practices to achieve just that, blocking the most common threats while not significantly impacting the user experience. I'm less concerned about tracking and privacy. In the systems that I "support" I usually use non-administrator account, install EMET, don't install flash unless required to, don't install Java (unless needed, for most systems it is not), but not had much success with the users adopting SBIE, and even less with NoScript. As for ABP, for my experience I don't like its impact on the browser performance (although not a huge deal), and I do believe that if you read/watch/listen to content of people who make their living off ads, you should allow ads - so I don't like people to just block everything because it is the easiest solution.

    AppGuard looks interesting. Reminds me a little of Applocker (perhaps?), which only god knows why MS in their infinite wisdom have removed.
    I will give NoScript another try. Seems that there is no escaping it on FF. I've seen that there is a Chrome extension for quick enable/disable of JS. Looks interesting, but I guess that it is a black and white solution so it doesn't protect from malicious script running in an otherwise legitimate website.

    Thanks once again, and I would be happy to read more suggestions, if you have them.
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    AboutBlank, since you are going to try NoScript again, I suggest this time you make the following changes in settings. In Embeddings, untick "Show placeholder icon" and Tick "Collapse blocked objects". Also, in Notifications, untick "Show message about blocked scripts". Doing this changes make webpages look clean, nothing broken and in my personal case use, makes NoScript more enjoyable to use.

    Bo
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ AboutBlank

    Did you check out Malwarebytes Anti-Exploit? It does exactly what you want. It will protect against exploits without breaking stuff. A tool like AppGuard is more for advanced users, and will need some configuration. :)
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  24. AboutBlank

    AboutBlank Registered Member

    Joined:
    Apr 20, 2013
    Posts:
    15
    @bo elam
    Thank you, I will be sure to do that.

    @Rasheed187
    Had a brief look only, but I will certainly look into it. Thank you for the suggestion.

    @MrBrian
    Thanks, running FF with low integrity is very interesting. I didn't know that it it possible; thought that only Chrome and the recent versions of IE were possible to run that way.

    It is quite annoying that running a LUA is often restrictive and could break some functionality in Windows. It is even more annoying that when trying to enforce some SRP to protect the users from the most common threats without overwhelming them with extensive list of DOs and DONTs - it is the users who reject the concept. I know that Windows could be made secure - certainly for the average user- but years of educating the users that they can - and should - run as admins, have resulted in every little security tweak that compromises the perceived convenience getting immediately rejected by people who in general gladly compromise security for convenience (i.e. the way they are used to do things). Maybe it is time to leave them to deal with the consequences, might change their perspective overtime.

    I myself will certainly check and implement the suggestions in this thread.
    Thank you, it is much appreciated.
     
  25. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    if noscript still ends up doing your head in you can make it auto whitelist the site domain, and only block 3rd party domains on the page. You will still need to do occasional whitelisting but makes it less painful at the price of some increased risk (but not as bad as allowing all javascript).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.