Trojan Trap help

Hi AAP,

Ah, finally, another TTT3 user. There don't appear to be very many of us around even though it may be the single best piece of security software available. (How's that for a strong opinion? )

Can you give a little more information here? What "application group" do you have the executables for these programs in? Perhaps you've just got security set a little too tight on them or perhaps on other dependant apps.

TTT does take a bit to configure, but, once setup properly, you will have some pretty powerful security on your system. You just need a little patience and time.

Also, exactly what errors are you getting?

 

Hey AAP,

I see you've joined as a member here, welcome!

Hmm, both systems running XP Home and it works on one but not the other, right?

First, what changes from default have you made in TTT? If TTT was installed after TDS and Ad-Aware, their executables would have already been in the unrestricted applications group.

Does your unrestricted group have the vast majority of your system's executable files in it? Have you moved other EXE files (especially any core Microsoft system files) out of there and into more restricted groups? Some can be moved but a lot can't. Also, have you changed the unrestricted groups "Execution Settings..." options at all? It should look like the image below so that no restrictions are enforced on that group.

If possible, if you could provide the whole actual text of the error message, that might also better indicate the problem.

Another option is to deinstall TTT on the bad system, it should come off very cleanly but check for remnants anyway (files and registry) and then reinstall. Let it catalog all existing EXE files, like TDS and Ad-Aware and place them into the unrestricted group. Make no changes in TTT at all, but let it run, then see if these programs work normally.

- LowWaterMark

 

Initially, the biggest decision will be determining which programs to move out of the unrestricted group and into another, more secured group. You see, you want to leave the "unrestricted applications" group completely unrestricted so that you won't block functions on key system programs. (Though the one restriction you can safely check in the unrestricted group is the "Checksum guard". That will let you know if any applications in that group have been changed, which can be valuable since you really are trusting those apps completely. I do have that option checked, I just didn't show it in the image above.)

The "preconfigured groups" are pretty important, so that might be a good place to tweak first. If you use IE, OE or Outlook, those three groups can help you really control just what those applications can access on your system. The IE group may well be the most important. Limiting the directories and registry locations that IE can access can really limit the exposure from possible exploits in IE. These three groups are already secured in some ways by default, but, additional adjustments can be made.

One thing I've found very valuable for those groups, and a few new ones I've made, is to specifically block the directories and registry keys of my key security software. For example, using the Advanced Mode under View menu in TTT's Admin tool, for the IE appl group, you can go into the file and registry security sections and mark as read-only all the areas related to your AV, FW, and other security apps. So, if IE is ever "out of your control" through an exploit, it can not possibly change anything in the file folders or registry keys related to your security tools.

This can be done with other groups as well.

In the image below, the key things of interest are: 1. Notice how many programs are in the unrestricted group (look at the scroll bar and you'll see that a lot of programs are contained in there). For the most part these are things like the core windows exes and most of the major \Program Files\ based applications (again, only trusted programs, of course).

2. I've created a couple additional, special function, groups. "Hide Personal and Security" is one that allows much functionality for the programs contained in there, but, marks as read-only my core security products and as "no access" my private files (financial & tax info, and other personal items). I run a few programs in there that need a lot of rights on the system to work, but, that I still don't trust 100%. So I sandbox my most critical apps and files from being accessed by those programs.

My favorite new group is called "Special Testing". It is an almost all "Ask User" (prompt) application group. It allows read-access to all core areas, except personal files, but for any form of write or update access, in files or the registry, it prompts me for approval first. This allows me to run a program and determine just what things it wants to write to the system, and I can decide real-time if I want to allow it.

Those are just a few thoughts for you to consider.

My warning to new users of TTT is simply this: Don't restrict programs that need deep system access. Such programs include your AV, Firewall and complex security products. If you don't trust those programs then even TTT won't help.

 

FYI - The links below are a few screen shots that show various options that are configurable within TTT3. The examples shown are specific to the Internet Explorer application group, but can be applied to any existing or newly defined group.

These images are included as download links rather than active image tags in order to save download bandwidth for those who are not really interested in TTT configurations, but who have clicked the link to this thread. (I believe the green (allow) and red (block) properties are self explanatory.)

1. Restrictions on: System Services

2. Restrictions on: OLE/COM

3. Restrictions on: Process Spawning

4. Restrictions on: Misc System Service Controls

5. Restrictions on: Filesystem Access

6. Restrictions on: Registry Access

AAP - you know most of this already, so this is included for those who are interested in the capabilities of a powerful sandbox, but who haven't tried Tiny Trojan Trap yet.

 

TTT3 is now a previous version meaning that Tiny no longer directly markets or supports it. They have all the components of the sandbox included in their newer versions of Tiny Personal Firewall. TPF3 and TTT3 were the current release as of 10 months ago, then TPF 4.0 came out. That was very quickly followed by TPF 4.5.

TPF 4.5 is the current release version, and TPF 5.0 is in the Beta software cycle, and if all goes well, it'll be final release soon. Though interestingly enough, Tiny Software is actually selling TPF 5.0 right now, even though it's still in Beta.

TPF 4 completely changed the interface and many other components from version 3. I tried it and thought it was seriously lacking, so I returned to TTT3 while waiting for the next major version. Tiny must have thought there were problems with the entire 4.* version set as well because now 5.0 is another complete rebuild of the product. It looks much more promising than the 4.* disaster. (Yeah, 4.* was that bad - in my personal opinion.) I have updated my license so that I currently own TPF Pro 5.0 though I still use TTT3.

 

Well, you can't get a much better firewall than LnS so I'll hope your eval goes well.

Also, I see you joined as a member here, so Welcome to Wilders Security Forums!!

 

Hi AAP,

Yes, there are some very powerful controls that can be setup in TTT to let you know what a particular program is trying to do. First, here's a quote from one of my other posts above regarding an application group I've set up to do this very thing.

Since you generally care most about the updates, changes and writes that an unknown program is doing, this type of group allows any application in it to have normal read access to the files, registry and various system services. It only pauses and alerts (asks) you about anything the program is trying to write or dangerous system services it's trying to run.

To set up such a group, first make sure you are running the TTT Administration Tool in Advanced Mode. Now, create a new application group. I called mine Special Testing, but the name doesn't matter. See the image in Reply #5 above. Notice where "Special Testing" is? Right-clicking on the "User Groups" folder gives you the option for creating a new group.

In the dialog box that pops up where you name the new group, you'll have a choice of making the new application group a restricted or unrestricted group. Select the restricted box.

Now, using the three buttons on the left, "System Security", "File Security" and "Registry Security", you are going to customize the new group, setting virtually all configurations to allow all the read-like accesses, and setting all other options, such as write, delete and so forth to "Ask user".

Let's look first at File Security (see image). Notice in the middle window (Explorer like interface), I have the highest level (the "Files" item) selected, so the settings I make at that level will carry down to all disks and folders below. Special Testing is selected in the upper right, so the settings made in the lower right section will apply to just that new application group. In that settings area, the "access" tab has all the read-like settings allowed (don't forget to scroll down in there).



This has now allowed read access to the entire file system for that application group. From there let's set the "Ask" configs. In the next image you see I've switched over to the "ask user" tab. In there I want to enable all the remaining forms of access that aren't the read ones from the first tab (things like write, delete and append...). When these are set as you like, hit the "Set" button just above that box and you've secured most of the file system accesses.



Now, a little more tweaking in the File Security section may be desired. If you look at these images, you can see, for example, the "Temp" folder is green. Well, I decided to alter the security for a few key folders from the new defaults we just set above... Basically, I've granted "Full control" for this group on a few folders because I did not see any reason to not allow programs I'm testing to access a few of the common work areas on the disk. You'll have to decide if there are certain work folders you want to allow like this.

Basically, at this point any program run in this new group now must ask you for any write or delete operations it wants to perform. TTT will hold the program at that very point until you either allow or prevent the access request.

More security ideas for this group in the next post.

 

As you continue to build this new program testing application group in Tiny Trojan Trap, the next area you probably want to secure is the Registry. So, as with the file security set above, select the Registry Security button in the left panel and proceed with setting first the full "read access" rights and then set the rest to Ask the user.

In the registry section for my Special Testing group, I simply set the top level permissions and did not tweak any areas below that top level. Therefore, every key in the registry is treated the same as the settings at this top level. Read is allowed for everything, but any updates, writes or deletes will require user approval.

In the image below you'll see what I mean. The registry settings are made via the same Explorer like interface. Selecting the highest level (called "Registry") and on the right selecting the new Special Testing application group, you can then make the settings in the lower right screen section.



In the "access" tab shown above, all the read-like accesses are enabled. Below you see the "ask user" tab has all the write and update operations selected. Hit the Set button and you are done with the registry settings.



Now, before I describe the settings I've made in the "System Security" section, (perhaps the most powerful area of control in TTT), I wanted to just make a side point here.

Setting all this file and registry security to ask you for permissions for every operation a program is going to perform is likely to result in a whole lot of pop-ups that you'll have to respond to. This functionality works and it works well. Some people might say it works too well. Complex programs can do a whole lot of write operations to the file system and the registry. It can be very overwhelming. So be forewarned about that.

I do not suggest running any complex utilities (such as an anti-virus or firewall) in such a group. After the first few hundred popups, you'll be sorry you did. But, if you are downloading some simple utility, say one of Gibson's tweak this thing security tools, and you want to know what registry changes it's making, then this will let you see and control them. Once something gets beyond this level of complexity, an All Ask application group is a little too much! At that point I'd suggest you use something like my "Hide Personal and Security" group. If you are running something not fully trusted, then use an application group like that to protect your valuable files, and the directories, files and registry settings of your key security tools. A quote on this group from above:

On to Windows OS services and component controls...

 

Protecting the registry and all the files on disk is important to be sure, but, what about Windows itself and all the other running processes and built-in services on your system? A lot of malware attempts to kill off or take over your security applications as they run in memory. They also try to create servers and spawn other processes to accomplish their dirty work. So, there is one more section in TTT to protect these other system resources.

Select the System Security button in the left panel to bring up access to the various OS access controls that can be managed. Let's start by looking at the Miscellaneous controls which is where functions like process termination and system shutdown are control from. This is a pretty powerful section, and as you can see it also allows you to control access to the clipboard, limit the amount of memory a program can use and even set a maximum number of window activations.



As with the spirit of an All Ask type of application group, these are set to Ask, however, if there are certain functions you want to always allow or always block, then you can do that, too.

That's the only image from that section that I'll embed in this post. But here are clickable URL links to screen shots of the remaining sub-sections within the System Security section. Notice that in the Services section, and also the Devices section, there are plus-signs before the section name. Yes, you can assign access permission to any individual Windows Service or Device, or treat all Services and Devices the same. Whatever level of granularity you need is available.

Services image.

Devices image.

OLE/COM image.

Process spawning is interesting. Here you can decide if you want a program to be able to spawn other programs into new running processes. It's not an all or nothing kind of thing. You can decide what programs can be spawned and which programs can do the spawning. You can choose to have the newly spawned program run under exactly the same limitations of the calling program or let them run with the access rights that the program would normally have if you ran it directly.

Process Spawning image.

VB Macro Control image.

As with the note in the last post, setting all the functions in this section to "ask" could produce a massive number of popups that you'll have to respond to. In my experience, the use of this is not a problem when talking about a small utility, but it can quickly become far too much for a complex application.

Now, let's look at an example of what level of control TTT can give you when you use an application group such as Special Testing. This last image is a screen shot of the TTT Activity Window. (That's a viewer that displays the latest events that have been alerted, asked & answered, or logged while TTT is running.)

To give a little background, a couple months back AVG6 Free started including a small executable in with their definitions update. Well, the moment the AVG update process ran that EXE, TTT caught it and asked me what application group to run it in. While TTT was holding the process, I used Windows Explorer to look at the file and clearly it had come down via the AVG update. So, I selected the Special Testing group and let it run. I got multiple popup inquiries as it ran and replied to them. Here's the summary:



Notice the sequence. I had started the AVG control console and told it to do an online update. The rest of the activity is the sequence of programs and logged accesses based upon the settings I have in TTT. When AVG extracted and ran this new utility program, free_txt.exe, I was asked if I wanted to let it to set a registry value. At that point I let TTT hold it while I went to that key in the registry and made a backup of it. Then I allowed it to continue and do the remaining actions. I was then able to go back and compare afterwards just what it had done in the registry.

TTT allowed me to determine that Grisoft had change the AVG6 Free product so that it could now only download updates from a single server, all alternate URLs were removed. So, in this case, TTT caught and alerted me to a new program, allowed me to stop it or let it proceed, and monitor what it was doing as it happened. This is perhaps one of the more powerful things TTT can do.

Whew! AAP, a little more of an answer than you asked for, but it's a pretty complex program and in order for you to be able to "watch over a program and see what it's trying to do", this type of application group would be required. (Besides, I've been wanting to write up something on TTT for a long time and this gave me a good excuse. )

I guess in summary, TTT allows you to assign access rights and protections to almost any thing (device, file, directory, registry key, system service or OS function) on your system. You can allow, prevent or alert & ask the user, for any of these accesses. It is very granular. But, it is very complex and takes a lot of time to learn and configure.

 

If you can't buy TTT3 directly, ask the people at Tiny Software if buying the new TPF 5.0 product gives you a key that will work in all the older versions, too? If that works, you can choose to use either.

I have keys to both TTT3 and TPF Pro 5.0 and the key structure is identical. Also, there is a sale on TPF Pro 5.0 right now at their website. (Even on sale it is $49 US. Regular price is $79)

However, be warned, I have not tested that the newer key works in the older products. You'll need to confirm that with Tiny since I don't want to uninstall just to test it. Of course, I will one day, as soon as TPF 5.0 is stable, upgrade to the newer product.

 

Thanks linney.

And, thanks for finding that site with TTT3. That link of course is for the direct download, this is the product description page right above that one:

http://www.webmasterfree.com/software/Security-Privacy/Anti-VirusSpecialized/tiny_trojan_trap_3.0.html