After reading a hacker's blog,I feel it's so hard to be safe.

thats good to hear and also good news that malware defender in fast in developing

 

Check your pm

 

Malware Defender is not to be taken lightly. It's at the moment on the same scale as the "few" others (excluding firewall/hips combos).

I find it reliable and stable on XP Pro and it's compatibility with all my other security software is encouragment.

It's exciting to see how far what few HIPS developers there are, improve this amazing windows security innovation.

My DREAM TEAM ballistic missile system is gathered momentum & now coming into reality. Sandbox/Virtual System coupled with a STRONG! HIPS plus a workable Behavioral Blocker and some script protection as a backdrop prevention followed up by a reserve backup image! in event of any kind of unexpected happening.

EASTER

 

sounds good,i learn alot and from what i discovered that if one have a really well configure hips program there is no need of any antivirus/antispyware note:my taste,own experience

 

I'm always amazed when you can LOCK OUT so very many sections of Windows by applying a simple rule with a checkmark and it sticks TIGHT!

I use a desktop app named ICONOID. I created a rule to prevent reading the DESKTOP then ran the "finjan" test which puts that silly folder named "you been hacked" after using Wscript to copy some My Document files to it. Well, with a simple rule in EQS, finjan chokes and entirely aborts since it cannot access the DESKTOP that it thinks isn't there to begin with.

On a refresh, some of my icons went AWOL and that was directly attributed to the "LOCK DESKTOP" rule i made and enabled. After removing the checkmark and APPLY, all my icons returned to normal again. ICONOID was prevented from ANY interaction with the desktop because of that HIPS rule.

Now imagine locking down other folders that way such as TEMP directory in Windows folder and such. I don't do that but was a good test of EQS strength in blinding signals to these areas. I normally allow anything to "READ" but demand to be alerted on some file signalling to land or modify files within various folders, especially vital system folders.

EASTER

 

hell, I am just using SD and FD. Waiting on the new Prevx but in the meantime, I just reboot once a day and forget about all this stuff.

 

Heretic - you should be burned at the stake for not understanding that 4 program layers minimum are required. Reboot once a day ? you must learn to live in fear and stop spreading such nonsense

 

ROFL

Your doin it all wrong! You need at least 15 security enhancement software programs to protect yourself while online~!



.
.
.
.
.

.
.
.
.


Ok, I guess I dont have 15 different security programs either,just glad I have Returnil

 

Must not be any code there for SSM. Nothing happened. Nothing ever happens. Hope I never see a fly that looks like that. What is that "music"?

 

Yea,there are some codes to bypass SSM paid version in her or her friends' blogs I remember.I am no expert,but I thought she writes some codes relied on drivers or bios.She said one of her computer was ruined because of her bios rootkit or maybe bootkit(i don't know what are they.) test.
check this pic:
http://hiphotos.baidu.com/mj0011/pic/item/4279ecfa8e177acab48f31ae.jpg
Although I don't know what it is all about,in the blog she said:""Tophet" -- most powerful bootkit in the world?In this boot mode,it neither infects MBR\BootSector\Ntldr,nor modifies or adds any files in the windows folder.Even if you use WinPE or take off your hard disk,you can not dectect the bootkit."

You still think you are safe with SSM?

 

I'm a little bit curious too. Can someone PM me the removed and probably innofensive link?

 

check your pm plz.

Anyone want to check her blog may go to Comodo's forum and in the "Diskshield" section you may find her blog's address in the post "helpless and useless diskshield'

 

I didin't see that image anywhere. Most likely, Proxomitron filtered it out. That site is almost impossible to read, even with a translator.

SSM doesn't keep me safe. My security policy, default-deny, does that. SSM is part of the package that enforces it. As for any code on that site defeating my package, if I'm stupid enough to launch the code, anything is possible. For the malicious code to infect me from the net, it has to get thru Proxomitron unfiltered, a tall order. Then it has to execute without being detected by SSM. I don't see how this is going to happen. No, I'm not worried about it.

Can't make the image of the code appear as a link instead of an inline image. Removed. The code in your link doesn't target my OS anyway. It won't do anything to it.

 

Not in the MBR, not in the boot secotr even. Where does this bootkit then stay?

 

Same question and wild guesses are followed behind her post in the blog with no answer.BTW,she rarely tests her roots or bootkits to see if they can bypass HIPS,but she likes to check if they can be hidden from icesword,rootkit unhooker etc.Since she posts them out, it is mostly a positive.Those attacks are considerably low level attack,when it can cause hardware damage as she once said.
But I don't mean that we need to panic or add more security to our pcs because the attacks are so heavy.We,especially the ones who like to spend time on wilders forum,are mostly far from danger.People here are even kind of paranoid in my opinion.The point of my post is that,I think most of the time,the attackers are in front of the security softwares in the competition.We said signature based AVs were out of date, we go to HIPS.But HIPS is actually another kind of signature based AV.It can be called attack methods signature based AV.
We have guns before we have shields.Right?

 

Conventional signature based AVs are definitely obsolete technology that can't keep pace with the threats, but few AVs rely on just signatures anymore. HIPS, at least the classic ones like SSM have nothing in common with AVs. HIPS and AVs use entirely opposite security policies. AVs are an example of default-permit. Anything not specifically identified as malicious is allowed. With default-deny, anything not identified as safe and whitelisted is blocked. The biggest difference between them is in how the unknown or unidentified is handled. That's where conventional security apps like AVs fail. Classic HIPS can best be described as application firewalls with additional registry, services, autostart locations, and other protections. Classic HIPS is anti-change software. IMO, apps like SSM are the ultimate whitelisting tools. When used to enforce a default-deny policy, any application not whitelisted can not execute, which includes most malicious code. When malicious code is inserted into files or web content, and these are opened by the allowed applications normally used for those types of files, HIPS ability to control the parent-child permissions of individual apps will often prevent that code from accessing and compromising more of the system. It's that ability to effectively isolate the targeted applications from each other and from the operating system in general that makes HIPS so effective, provided the user is knowledgable enough to configure the HIPS, operating system, and installed software to the same policy.

IMO, when malicious code is allowed to execute, there are no guarantees, no matter what kind of security package you're using. There's no operating system or security application that's invulnerable. There's no containment software that's impossible to escape from. Eventually it will happen, the vendor will fix it, and we'll do it all over again (penetrate, patch, repeat). Too bad for those who get compromised in the mean time. Hopefully, something else like their AV will detect and stop the code from compromising their system.

A system wide default-deny policy attempts to do several things.
1, It attempts to prevent malicious code from getting onto the system.
2, It prevents any malicious code that does from being executed.
3, It attempts to mitigate or contain the effects and actions of any malicious code that does get executed.

The first item, preventing the code from getting onto the system is a combination of traffic control, content filtering, and user discipline and/or control.

The second item, preventing the code from executing is fairly easy when the code is its own executable, such as a trojan process or an installer for a rootkit. It gets harder when the code is embedded in familiar types of files the user regularly uses, like PDFs, media files, web content, etc. Filtering apps, AVs, etc also have roles here.

The third item is the point when the strategy shifts to damage control, preventing that executed code from installing, altering the system, and/or gaining access to the OS itself or to other applications that have sufficient access to perform the task for them. This is the harder part, isolating the attack surface as much as possible. It is the opposite of what is normal for Windows and most user software, the integration of applications and operating system together to make things easy and convenient. Most users don't like applications isolated from each other and won't use a security policy that does this.
An example of malicious code that can exploit this integration is the POC for last years zero day PDF vulnerability. If the system is configured to open online PDFs in the browser, HIPS can not contain the actions of the exploit code. If that browser is Internet Explorer, the malicious code would have access to the OS itself because Internet Explorer is part of the OS. If that same PDF is saved to file, then opened with Acrobat directly (not in the browser), then HIPS can prevent the code from launching the browser and gaining access to the OS.

Much of what I've posted may seem off topic, but it does show one way that unknown or new malicious code can be dealt with. In my opinion, a default-deny policy is the best way to secure a system against unknown threats. Yes, some of this new malware is very nasty. The thought of it running on your system is frightening. I truly think some of it is reaching the point of becoming almost permanent, either undetectable or not removable by anyone without specialized equipment. It's definitely not something an AV is going to remove. Thanks in part to botnets, malware can be spread quite far before the AV vendors can get detections for it released. This makes prevention more important than ever. It's impossible to specifically defend against every new type of malware or every potential delivery method. The more interactive the internet becomes, the more methods there will be for delivery. Regardless, it still has to get onto your system and it still has to be executed. Both of these can be stopped. IMO, a default-deny security policy is the best way to protect your system against new threats. The more the user understands the workings of their system, the better they can configure it and their security apps to enforce the security policy.

 

Where would one encounter these threats?

If you practise safe surfing - mail checking, visiting two or three regular sites (up for debate, I know), what would the chances be for a user to get infected by these kind of viruses?

 

Hi no1 particular,
I agree with what you said above.We don't have disagreement there.

 

I hear ya brother. Shadow Defender, best program I've used.

 

Maybe I misunderstand your point of talking about SD in this post.I have to tell you that,according to this hacker's post in her blog,all softwares like deepfreeze,comodo's diskshield etc,including 360guardshield,which is the product of the company she work for,can be bypassed using her new tech.And the method will be released on XCON2008.

 

Mentioned DiskShield, but that's in beta stage and a new program. It will improve as time goes by. From my understanding, programs like Returnil and Shadow Defender, have been tested more thoroughly and put through their paces.

But maybe you're right. However, what's the degree the exploit can work as a drive-by download. Maybe the exploit only works once it's already configured and installed.

But then again, what are the chances of that happening when I visit a handful of reputable sites? IMO, I'd have more chance of my house being blown up by a submarine missile.

 

I don't know.

You are probably right.

 

It's all cool. You're doing the good thing and informing others about it.

I wasn't trying to sound like a smart @ss, as anyone can have things go wrong when they least expect it. I watched as all my files/resume/application letters were all deleted while I had a firewall and AV on.

And you're right that a lot of the programs we have today are reactive. They were created in response to what was/is affecting systems. But the creators of 'malware', they are proactive, always trying new things. So it's a matter of time before something new takes shape. There will be a short period, but the 'reactive' programs will obviously catch-up, and then you'll have problems again, a lag when a program/patch is being developed, then catch-up.

On another level, best thing I've done is avoid torrents. They're free, but there's a catch. Nowadays, if I want a DVD, I'll pick one up for cheap online and save myself all that 'long careful monitoring' that comes with opening large unknown files.

 

If we talking about bios modification, appz. like shadow defender or disk shield can not prevent this, they are ment to prevent disk modifications, not bios, also bios modification from windows OS could be stopped by: HIPS (if there is protected API which malware hooks on), "sandbox" software like sandboxie should also prevent bios modification and virtual machines also (your virtual bios will be modified)

~shiver P.S.~ try to flash bios from SD defended partition e.g. system drive, I think you will succeed...

 

Slim and none. These perceived evil threats lurking around the corners of every website we visit are so overblown by some in these forums, it's hilarious.