A light best of freeware breed HIPS do it yourself setup

Discussion in 'other anti-malware software' started by Kees1958, Feb 26, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958
    Offline

    Kees1958 Registered Member

    Well, I had said to 3xist to try the new CIS, so I saved my image (with paragon) and data (syncback on external harddrive) and gave it a test ride.

    But because Melih's thinks that developing a AV is quite easy (just provide a cure for all the malwares you know), I reconned that CIS alone would be a to weak AV to use by itself.

    I have used ThreatFire before to reduce the pop-ups of Defense+ (simply untick all the common intrusions and let TF deal with it), so TF would be my candidate to reinforce the AV module of CIS.

    Because nothing beats LUA + SRP and next best soluton (best when running admin) is a policy HIPS like DefenseWall or GeSWall, I decided to give EdgeGuard (also freeware) a spin. To be honest I tried with GeSWall, but CFP starts to read an awfull lot of data, which CFP does not do with EdgeGuard.

    To compensate for the lesser features I decided to add Chromium as daily browser (has an internal sandbox). Chrome (the Chromium open source version) has the advantage that it can be started with -incognito parameter. This -incognito truly makes leaves no tracks as I had read from a security bulletin somewhere. With some TF custom rules I can harden Chrome (no data access outside download directory and no registry access to HKU, EdgeGuard protects the HKLM hive). No worries I will add them in these post, just give me some time for the screen prints. I have set it up for XP SP3, Vista users can omit EdgeGuard Solo, when they add Norton's UAC tool (browser starts with minimal rights, Norton's UAC tool intercepts the elevation requests).

    At home we use IE7 for shopping and banking (simply because some music websites have only implemented full compatibility with IE). So Chrome for daily browsing IE for Windows update and banking. To strengthen IE, I added the beautifull KeyScrambler free.

    So lets start. (for impatience members, see http://www.wilderssecurity.com/showpost.php?p=1413356&postcount=28 for an visual explanation)


    Ohh: to make this work properly, you should have an C: partition on which your programs reside. And a D (Data) aprtition on which you keep your data. Advantage of having seperate Programs and Data partition, is that your data is not lost when your ssystem crashes fatally. When you do not how to do it, this setup is not good for you (and playing with malware neither).

    After having two partitions, move your documents to D (see image) and change the system variables for Temp and tmp (system properties, advanced, see right). Also move your Outlook express folders (open OE, click extra, choose options, click on maintenance tab and click on the Archive Map button) the reason we want our download directory and this data on D is that it will be more restrictive in execution rights.

    Attached Files:

    • i1.JPG
      i1.JPG
      File size:
      106.3 KB
      Views:
      120
    Last edited: Feb 27, 2009
  2. Kees1958
    Offline

    Kees1958 Registered Member

    Attached Files:

    • K1.JPG
      K1.JPG
      File size:
      32 KB
      Views:
      4,896
  3. Kees1958
    Offline

    Kees1958 Registered Member

    Next install ThreatFire and make sure you set a life line for TF eating critical processes (later on I will show how to minimize this), by setting a restore point before quarantaine.

    Attached Files:

    • TF1.JPG
      TF1.JPG
      File size:
      51.3 KB
      Views:
      5,014
  4. demonon
    Offline

    demonon Guest

    I am very sorry for this early post.
    Can my post be deleted please?
    Last edited by a moderator: Feb 26, 2009
  5. Kees1958
    Offline

    Kees1958 Registered Member

    Attached Files:

    • ch.JPG
      ch.JPG
      File size:
      36.2 KB
      Views:
      4,837
  6. Kees1958
    Offline

    Kees1958 Registered Member

    Attached Files:

    • E1.JPG
      E1.JPG
      File size:
      31.4 KB
      Views:
      4,857
  7. Kees1958
    Offline

    Kees1958 Registered Member

    Now it is time to download Comodo Internet Suite, install both AV and FW, I omitted the ASK toolbar.

    Remember this will not be a typical Comodo setup, but a strong low noise configuration where other securit aps take over to be secure with few pop-ups.

    So lets first make teh FW a little more quiet. Only one pop-up per program See pic)

    Next start all yotu intenet facing aps at least once and allow pop-ups. Reboot just to make sure.

    Attached Files:

    • C1.JPG
      C1.JPG
      File size:
      91.3 KB
      Views:
      32
    Last edited: Feb 26, 2009
  8. jmonge
    Offline

    jmonge Registered Member

  9. Kees1958
    Offline

    Kees1958 Registered Member

    Next we are going to improve file protection (remember you will get a more user firendly set up than with Clean PC mode, but with stronger protection).

    So go to my protected files and select from the feault file groups the ones shown in the image (click on image to enlarge)

    Attached Files:

    • C2.JPG
      C2.JPG
      File size:
      126.6 KB
      Views:
      77
  10. jmonge
    Offline

    jmonge Registered Member

    nice screenshot:)
    anyway is this comodo more stable than the other one?ofcourse with the antivirus thanks
  11. GES/POR
    Offline

    GES/POR Registered Member

    No offense but maybe it would be an idea to let Kees finish his page first?
  12. jmonge
    Offline

    jmonge Registered Member

    sorry:D GES/POR and sorry kees:)
  13. Kees1958
    Offline

    Kees1958 Registered Member

    Now we are going to create some new file groups

    - C Programs Drive
    - Other Drives

    The latter you must enter also the drive leter of CD/DVD, Floppy, USB sticks (just enter drive letter X:\* for all files).

    Idea behind is that you have a more restricted policy for D than for C

    Attached Files:

    • C3.JPG
      C3.JPG
      File size:
      174.4 KB
      Views:
      31
  14. Kees1958
    Offline

    Kees1958 Registered Member

    Now we are going to define to where Defense+ willl look at (the other issues are handled by threatfire, so do not worry about it). See picture

    Attached Files:

    • C4.JPG
      C4.JPG
      File size:
      101.7 KB
      Views:
      32
  15. Kees1958
    Offline

    Kees1958 Registered Member

    Now we are going to define a new policy and change some existing.

    I have changed the name of isolated application to blocked (just my preference because it is a little more clear)

    I have changed the setting sof limited as shown below

    Attached Files:

    • `C6.JPG
      `C6.JPG
      File size:
      200.8 KB
      Views:
      43
  16. Kees1958
    Offline

    Kees1958 Registered Member

    And the new group

    Attached Files:

    • C7.JPG
      C7.JPG
      File size:
      187.8 KB
      Views:
      32
  17. Kees1958
    Offline

    Kees1958 Registered Member

    Now we are going to Defense+ security polict.

    Delete the default (*) All Applications entry and replace it with a new one for the file group C Programs drive with the liberal policy restriction of Existing Applications

    Add a second more restrictive policy (LIMITED) for the other drives (sorry RESTRUCTIVE in the pic, is a typo, more restrictive is correct)

    Attached Files:

    • C8.JPG
      C8.JPG
      File size:
      135.6 KB
      Views:
      26
    Last edited: Feb 27, 2009
  18. Kees1958
    Offline

    Kees1958 Registered Member

    I will be posting TF custom rules, have to go now
  19. jmonge
    Offline

    jmonge Registered Member

    thanks kees,i'll love to see tf;) thanks
  20. Kees1958
    Offline

    Kees1958 Registered Member

    Okay now we are going to tune ThreatFire, first some precautions

    Add you security programs to the trusted list. Djames of TF support told me that those processes will never be quarantained.

    Also select the e-mail and webbrowsers which you have on board. I also added and deselected the ones not used. I fo not know but when I had to program the rules based behaviour decisions, I would rate intrusions from a program on this list higher than 'normal' programs. I have also asked to implement a change and not quarantaine them. I do not know whether PCtools has implemented, but hey it does not do any damage

    Attached Files:

    • TF5.JPG
      TF5.JPG
      File size:
      178 KB
      Views:
      34
  21. Kees1958
    Offline

    Kees1958 Registered Member

    Now on to the custom rules,

    Select the default rule "Host file protection" The rules wizard of TF is really straightforward. When you follow the steps and press the underlined fields after selection in the lower window it is real easy.

    Attached Files:

    • TF6.JPG
      TF6.JPG
      File size:
      73.2 KB
      Views:
      28
  22. Kees1958
    Offline

    Kees1958 Registered Member

    Now an example with text and image

    Why this rule Explorer is a normal start, you do not want to jumpstart IE or Chrome to navigate to websites, that is why this rule is created. Please start both IE and Chrome once from the desktop/navigating with explorer and choose ALLOW + REMEMBER

    Web browser started

    [SYNTAX]

    When any process
    tries to execute|TriggerAccessFlags a file
    named chrome.exe or iexplore.exe|TriggerFiles
    except when the source process is in the trusted process list

    DESCRIPTION
    Web browser is started

    This is a NORMAL situation when you have clcked on a LINK in a document or a an e-mail, choose ALLOW (plus REMEMBER). In other situations, click on "Learn more about this threat", when nothing is mentioned choose ALLOW, otherwise KILL (without remember).

    Attached Files:

    • TF8.JPG
      TF8.JPG
      File size:
      213 KB
      Views:
      61
    Last edited: Feb 27, 2009
  23. Kees1958
    Offline

    Kees1958 Registered Member

    Remember chrome is your browser for dodgy surfing. Its internal sandbox, makes it about 70% less vulnarable to intrusions than other browsers., Besides that it is ultra fast, so forget No script enjoy full functionality.

    Let's harden Chrome (Remember EdgeGuard already protects teh HKLM registry hive)

    First REGISTRY containment

    DESCRIPTION
    Chrome tries to change the REGISTRY

    This is not normal, click "Learn more about this threat". Only when no malware reference is found choose ALLOW, in all other cases chose KILL.

    SYNTAX

    When Chromium|SourceProcesses
    tries to write to the registry
    to HKEY_CURRENT_USER\|TriggerKeys
    except when the source process is in the trusted process list
    or the target registry key is HKEY_CURRENT_USER\Software\Google\|ExcludedKeys
    or the target value is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History|ExcludedValues

    Attached Files:

    Last edited: Feb 27, 2009
  24. Kees1958
    Offline

    Kees1958 Registered Member

    Chrome data access. I have my downbload directory mentioned as D:\Downloads, you should to unselect the "ask where to download in the" Chrome settings

    DESCRIPTION
    Chrome tries to write outside download directory

    This is not normal, click "Learn more about this threat". Only when you changed the download directory choose ALLOW, in all other cases chose KILL.

    SYNTAX
    When Chromium|SourceProcesses
    tries to write or delete|TriggerAccessFlags a file
    in D:\|TriggerFolders
    except when the source process is in the trusted process list
    or the target file is in D:\Downloads or D:\TEMP|ExcludedFolders
  25. Kees1958
    Offline

    Kees1958 Registered Member

    CHROME EXECUTABLE ACCESS REMEMBER EdgeGuard already protects WIndows + System32, so only check on Program files

    DESCRIPTION
    Chrome access an executable

    This is not normal, click "Learn more about this threat". Only when no malware reference is found choose ALLOW, in all other cases chose KILL.

    SYNTAX

    When Chromium|SourceProcesses
    tries to write or delete or create|TriggerAccessFlags a file
    in C:\Program Files|TriggerFolders
    that looks like an executable
    except when the source process is in the system process list
    or the source process is in the trusted process list
    or the target file is in C:\Program Files\Chrome|ExcludedFolders
    Last edited: Feb 27, 2009
Thread Status:
Not open for further replies.