Threatfire custom rules setup

[Kees1958]

Dear all,

Thanks PC Tools for giving such a wonderfull application for free. The beta is in fact CyberHawk Pro with a refurbished GUI. All functionality works okay, so for a Beta it is a stable version regarding the free functionality (only a few minor GUI glitches).



Regards Kees.

[Kees1958]

Install Threatfire

Click on the icon, main screen appears and click on the advanced rules button

[Kees1958]

Choose custom rules setting (click on button)

[Kees1958]

Now we are going to enter our custum rules.

We will start with file protection.

Click on the NEW button

[Kees1958]

Next the rule wizzardscreen appears, explaining the basic process sequence and setup logic of the custom rules.

Choose NEXT (is volgende in Dutch).

[Kees1958]

Now we have to define the source. Because we want to apply this to all processes, select Any Proces and Click Next (Volgende)

[Kees1958]

Now the trigger screen appears.

The event triggering this rule is when a process tries to access a file, so select this [shown as a. SELECT].

Now look at the lower part of this screen and click on the underlined text (access), [shown as b. CLICK (in red)]

A file pop up appears (with four options), please only select three of them (write, create and delete) [shown as c. SELECT].

Click on the OK button of the file access pop-up screen [shown as d. CLICK]

[Kees1958]

I have forgotton to also mark the option "that looks like an executable". Please also select this (sorry).

Next text explains the attached picture

Now the rule options screen appears, select "named file name" [shown as a. SELECT].

Look again at the lower half of the screen and click on the underlined text "file name" [shown as b. CLICK].

A file list pop-up appears and in which you can enter file names or in this case file suffixes. We start to enter the first file extention "*.exe" [shown as c. ENTER extention in red]. Click on the + button [shown as d. CLICK] to add this extention to the list in the lower part of the screen. Repeat this for all extentions which are executable like, for instance

*.ax, *. bin, *.cab, *.cmd, *.com, *.dll, *. drv, *.exe, *. hta, *.ocx, *.sys, *.tlb, *.vxd, *.x32, et cetera.

[Kees1958]

When you have entered all extentions, choose/click the OK button

[Kees1958]

Now we are going to specify which directories should be watched.

So we also select the option "in the folder", [a] and (hope you are getting familiar with the user interface, so I am leaving out explanatory text).

Click on the underlined text "the folder" [b] and a Folder list screen appears.

Enter the directories in the text field [c] or navigate with the tripple dot button to the desired directory. Repeat [d] and choose ok [e] by clicking on this button.

[Kees1958]

Your entered options are shown (make the screen larger for clearity), choose Next by clicking on it (Volgende means Next in Dutch).

[Kees1958]

Next the exceptions screen appears, choose trusted processes and system processes, continue by clicking on Next button

[Kees1958]

Finish this rule by giving it a name and a description, click on the second button (Voltooien = complete) when ready.

[Kees1958]

Now activate this rule by selecting and choose Apply (Toepassen)

[Kees1958]

Now we are familiar with the user interface, the next pictures will show you how to set up registry protection, for instance the startup protection explained by Toni Klein (see regdefend part of wilders).

I have encluded screen shots with the registry keys and values which Toni mentions, only (being lazy) I have not entered them all.

We want to make a new rule, so choose NEW in the (see post #4). The rule wizzard appears choose next (post 5) and the Trigger screen appears, again we want to apply this to all processes (post 6) and the Trigger screen appears.

The event we want to watch is when a process "tries to write to the registry", selct this [a] and click on next [b].

[Kees1958]

Next the rule options screen pops up.

We wil start with registry keys and will enter the values to watch later on,
so select "to the key" [a] and click on the underlined text 'the key" [b] on the lower half of the screen.

Next the registry keys screen pops-up. You can enter text in the text field according the standard registry syntax. Important notice is that Threatfire requires a \ on the end for registry keys.

Enter a registry key to protect (e.g. HKCR\Folder\ColumnHandlers\ ) [c], click on add [d] and repeat this for all registry keys (shown in the next post as a picture). Click OK when ready [f]

[Kees1958]

The next picture shows Toni Klein's watch list for keys, enter them all (by repeatingly entering this in the text field and choosing add, as explained in the previous post).

[Kees1958]

Now we are also going to specify the registry values to watch. Field names entered are according to common registry syntax, with teh field name as last (withiut the \).

Unluckily Threatfire does not has wildcards as regdefend or winpooch, so it is a bit of work (but then again it is free).

Select "to the value" [a], click on the underlined text "the value" [b]

Note that in your screen all the entered registry keys will be shown as a large sequence of entries. As explained I am to lazy (having already entered them inCyberHawk Pro).

Next the Registry Values screen will appear, same logic to enter the registry values to watch, by entering this in the text field (e.g. HKCU\Control Panel\Desktop\ScreenSaveActive ) [c], cick on the add button [d].

Repeat this for all values to be watched (see next post for a list) [e] and click on ok when ready [f]

[Kees1958]

The list of registry values you have to enter repeatedly as explained in the previous post.

[Kees1958]

The options screen will display to show what you have entered (left of picture), choose Next and the Exclusions screen will appear. Select system proceses and trusted processes to allow them to make changes and click on Next [b].

[Kees1958]

Enter a rule name and description, choose complete (the second button shown in Dutch 'voltooien'). And select this self made rule to activate protecton as shown in post 14.

[Kees1958]

The last custom rule is that of a process not communicating with the user seeking outbound traffic.

To reduce number of post this is shown in 2 pictures.

Again select new, proceed to wizzard and select as a source

"any non-interactive process" [a] (left upper)

The trigger is "creates x network connections" [b] (right upper)
Click on the underlined "x" (lower half of screen on right upper corner [d]). Next a Count pop-up appears and up this with one [e] by clicking on the upward pointer. Next the count pop-up will shown 1 connections, select OK [f] and the screen on the left lower corner appears. Choose Next [g].

[Kees1958]

When choosing next in the previous post the options screen appears (obviously I having trouble with the alfabet, because I continue with G while G is also the last step in the previous screen).

Select the port number [g],

Click on underlined text "number" [h]


Enter port numbers in the Ports pop-up [i], click add to select [j] and repeat [k]. In this example a range is entered and a single value. ThreatFire recognises port 80 and by itself adds the text (HTTP) Click on OK [l]

An the options screen appears to show what you have entered, choose next [k], specify exclusions and give this rule a name/description and activate, et cetera.

Enjoy. You now have the ideal companion (as second layer) to your hardware firewall and DefenseWall (or GeSWall Pro).

[Trespasser]

Excellent post. I appreciate the knowledge you've displayed. Thanks.

[Kees1958]

Thx,

but the good thing about forums is that it is now also your knowledge. Same as I have acquired a lot from Aigle, Bigc, Bellgamin, Easter, Herbalist, Kerodo, Mrkvonic, Nicm, Solcroft, TopperID, ZopZop and many others.

Some specific startup files I forgot:
- C:\ntldr
- C:\boot.ini
- C:\Windows\system.ini
- C:\Windows\wininit.ini
- C:\Windows\win.ini

Regards Kees