What next?

Hi Wilders community

I am wondering what to do next?

I am behind a hardware FW and SensiveGuard gives added outbound protection (e.g. Outlook express is only allowed to send mails when initiated by the user, to protect our PC to become a mailbot).

Additional data wall protection by SensiveGuard:
My C-drive executables (*.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys *.scr, *.ini,*.hta) are protected from changing by Sensive Guard. Programs with internet connection are not allowed to read files from my D (data) drive when not initiated by the user (additional data theft protection). No program with internet connection is allowed to download the above mentioned executables.

DefenseWall runs WMPlayer, OutlookExpress, InternetExplorer, hh.exe, winhlp32.exe, ntvdm.exe, tftp.exe, ftp.exe, 7zFM.exe (zip manager to which all archive extentions are linked), LimeWire, The shared folder and incomplete folder of LimeWire, WindowsTasks directory and DVD and floppy drive as untrusted.

SSM-free only allows white listed processes and blocks start ups from the shared directory and LimeWire incomplete directory, and blocks the registry keys showed in the attached picture. Rest is more or less standard SSM free modules (IE protection).

Antivir is my free Antivirus with Heuristics set to high.

At the moment the PC shows no security pop-ups and the security aps cross protect each other, except for Antivir (no MD5 hash check in and Updater is allowed to start any process in SSM and allowed to download non user initiated executable updates in a specified directory by SensiveGuard).

The PC is hardened with SafeXP, Seconfig and SpywareBlaster and I use wireless MAC adress control plus fixed IP-adresses (no need for DHCP/DNS or svchost to go external). SSM user interface is disconnected.

What could I do more (for instance blocking additional registry entries from being changed) without confronting the user of this PC with pop-ups in normal operation?

I have to use IE7, because the main user needs it to pay for downloaded music (through Dutch banking application). IE7 is configured conservatively, with normal-high protection, but fully functioning. I have no special anti-keyloggers due to the Dutch Banking security measures (with double public private key protection), SensiveGuard and the DefenceWall 'red button'. But this thought could be to optimistic.

I stopped using on-demand antispyware scanners after they had not found anything for at least half a year.

Regards Kees

 

u could add a HOSTS file or SpywareBlaster.

also what are u trying to protect the computer from? that setup seems very secure as it is.

 

Sorry I forgot to mention SpywareBlaster, added this in the text.

Just trying to use the (registry) knowledge of the forum members for additional registry hardening.

Thx

 

PeerGuardian with Bluetack´s lists?

 

Thx is an extra to blacklist IP's for P2P

 

You can also blacklist IPs of ad/spyware servers.
I´m thinking in Link Scanner Lite and/or Dr. Web link checker
Perhaps it´s too much.

 

Lucas thanks,

I have done some surfing. It seems that LimeWire 4.13 will have the option to import blacklists (now in Beta). In stead of adding a new ap, I prefer to wait and see what import capabilities this new release has. After all, we did wthout all the time so we can wait a short time. I will certainly add IP black listing to the security set, preferably with LimeWire 4.13 otherwise with PeerGuardian.

Thanks for the feedback

Others,

I would still appreciate other registry entries to be guarded by SSM-free, so when anyone has suggestions please make them.

Regards K

 

WhereWindowsMalwareHides.doc

 

Kees1958: that's quite a strategy! Congrats
However, what keeps you in Windows world? I know what keeps me, but someone with that strategy must have thought about it, at least consider it.
Are there specific programs that you use not available for GNU/Linux?

TIA- like i usually say, i like to hear/read other perspectives.

 

Someone,

My wife is the main user. Besides her job she is an areobics/steps/spinning teacher for fun. She has learned how to download music via pay sites.

Everything may change on the PC except InterNet Explorer (because her favourite download sites only can deal with IE), Word and PowerPoint.

So this means a no go for Open Source software (linux, which I regret)

Regards K

 

I see. That's the main problem worldwide: we're hooked one way or the other. Although those sites that only work with IE i usually try to ignore them. Only if i really have to. I restrain from insulting them, and blocking their IP...
But if you don't already, try VirtualBox or VMware, and check out Kubuntu and SUSE. VirtualBox is just download, no personal details needed, and it just works, for me anyway. Really easy to operate.

If you think it's way out of topic, sorry. But i'm answering "What next?"

 

Someone,

There is a up side to users stucked in their habits. I reckon her work will not upgrade to the next MS OS in 4 years. In that time the initiative to create a working XP OS binairy compatible OS will hopefully be ready (ReactOS)

Regards

 

Thanks for the tip, i'm looking at http://www.reactos.org/en/index.html . Interesting
Have you played with Coreforce lately? I'm going to check it out in a day or two.

 

Thanks very helpfull, I will check this through

EDIT: added 14 registry entries, see pic thanks!

 

No I have played with it quite a while ago. The first setup was on a detail level, which is good for granular control but a lot of work when you want the PC to be pop-up quite. I wait until they are out of Beta. Interesting what you might find of it.

 

Hi, if u don,t mind I will ask few Qs as I know very little.
Why to run winhlp32.exe and ntvdm.exe untrusted?
Any problems/ loss of functionality by running tftp.exe and ftp.exe running isolated?

Correct me if I am wrong but I think SSM free does not block all these reg enteries? These might be there but not functioning. Have u checked?

 

Hi Aigle,

Don't you remember I have thanked you for the sandbox tests you did. So I when you know very little, I know less.


Some worms use NTVDM to spread. You as an GeSWall Pro user (my son has it on the other PC), might remember the GeSWall test which 'ducked under' XP by using the command shell. I think for Sandboxes it is hard to protect when the machines switches to old 16 bit or DOS aps. Therefore I have inactivated command and run NTVDM untrusted.

Winhlp32.exe, see http://www.auditmypc.com/process/winhlp32.asp

No function degration when running tftp and ftp untrusted.

Regards K

 

When running with the user interface disconnected, the original action was ask. With the user interface disconnected you do not see pop-ups, so you won't see the 'ask' action.

I have changed that to block. I thought I had tested it. I have seen SSM come into action in learn mode/user interface connected (it seems it falls back to ask when in learning mode on blocked entries).

Even with SSM-free you can right click the registry module and add new entries. The registry guidance of SSM is really splendid (you can cascade to the correct group and it lists the string values currently mentioned in that entry, you can even set how deep you want SSM to block).

SSM free also protects against physical memory vialotion (e.g. when Microsoft wants to check you have a legal version), while the documentation also mentioned the free version did not. I think since using the V2 SSM some original in the V1-version not 'included' features were enabled.

SSM-free has some low level disk access protection (which also should not be in the free version). I have a Dutch version of Partition Manager. When I delete the active C partition. Partition Manager pop-ups with a 'proceed' confirmation. SSM-free wants to close Partition Manager. The closing protection of Partition Manager comes up with it a pop-up (do you really want to exit y/n). When I choose no, SSM-free immediately kicks into action again, triggering the closing protection of Partition Manager again. It always takes me three to four times, before I am fast enough to confirm the 'proceed' pop-up of Partition Manager, before SSM kicks in again.


I like SSM-free over SSM-paid (I have a lisence from giveawayoftheday), because it is less complex than SSM paid (or ProSecurity paid). I was a ProcessGuard/DSA user, so my opinion is coloured.

Regards K

 

Hi Kees, thanks for explaining. Mostly new info about NTDVM for me.
Regarding SSM, I have added few more rules in SSM reg protection from ur snapshot. Like u, I have SSM pro licence as well but still use free one, as I think reg protection of Pro is much complicated.

I will see how it goes.
Thanks.

 

Aigle,

Do you have registry protection tips for me? I had hoped some registry die hards and MJ Registry users would join in this post to give some additional tips.

Regards

 

Take my word seriously, " I know little".
I don,t paly much with registry as I am afraid to invite troubles. I hopw some
advanced users esp those using RegDefend and RegRun might help u.
My apologies.

Take care

 

SSM free registry protection (1)

Edit: changed HKLM/System/CurrentControlset/Services/Tcip/Parameters to
HKLM/System/CurrentControlset/Services/Tcip/Parameters/Winsock

With regedit changed the acces rights of the admin and the above system to
HKLM/System/CurrentControlset/Services by unselected full control, create subkey, delete, DAC data, Write owner, Security info read. In this new services can not be installed or old deleted.