An interesting way to bypass SRP (and potentially other security setups)

Me too

 

But one of the key points for me is that you normally don't have to run applications as trusted with DW. So you can often install software as untrusted whilst still keeping the software contained in a stronger than LUA environment. Therefore you take away any decision making, eliminating one further weakness.

 

I think with that comment you show that you don't really understand DW.

 

That's not how 99% of normal users operate. That's why so many people get hit by malware. Fine for most people on Wilders, but not for the rest of the population.

I don't really understand the relevance of that.

 

i think we are talking on 2 diffrent ways of protection , one is for advanced users and its sj100 way , and the sec is DW who belong to new pc users or lets call them noobs

both method works, depending on your skill of understanding what is going on behind the scene , and according to that you select the more suitable way for you

cheers

 

There's really not too much point in arguing whether (some security software) or LUA is stronger.

Some classic HIPS or something like DefenseWall offers very granular control over things that are far beyond the intended scope of different types of user accounts in modern multi-user operating systems. They can do things LUA was never intended to do. In that sense, they're certainly undeniably stronger as malware protection.

LUA is not intended to be comprehensive malware protection or anything like that - it's just access control that naturally also limits the access malicious software could have. In that role it's very useful, and indeed should be a key part in most any security policy. It doesn't cost extra, and you don't need to install new versions of it. It can often help security software be more effective against threats, even when the security software has an unpatched vulnerability or a design defect that could be exploited by a malware. And it does do some things that few HIPS-like products do, like controlling what files and folders the user can access - handy stuff when you don't want the kids deleting all your files, for example. If one wishes to compare strengths, then LUA's strength is that it's free, far less intrusive than most security software, doesn't cause slowdown or kernel stability issues that you wouldn't otherwise have and doesn't present the user with complex choices: the only thing the user might get asked about in LUA is "Do you want to run this as admin, yes or no?"

So, really, the well-informed LUA advocate obviously won't claim that LUA by itself somehow provides the best security possible with software. Instead the claim is that LUA is an essential basis to build security on, and if one is so inclined, is pretty effective against many things even all by itself, and very effective if the user knows what he's doing. This can allow some users to run a much lighter and cheaper setup without unreasonable risk, for example. But perhaps the best reason to use LUA is because it's there. Why make things easy for the bad guys? LUA makes it harder to own systems completely. Why shouldn't people use it, especially the kind of people who aren't very advanced with computer security, when it's free and won't slow your system down or make it crash? For those people who would normally only run an AV while being admin, going to running AV with LUA would be a massive increase in security, and would benefit everyone online. To not advocate that would be idiotic.

 

Well..., I don't work in a field even remotely related to IT, and have my share of complaints with the IT dept of my employer,... but the IT folks have a point if operational stability is a goal and it generally is.

Blue

 

It's less making decisions per se and more making those decisions on-the-fly. After all, any approach requires decisions to be taken at some point in time.

Blue

 

Software which requires admin rights, simply fails when installed as untrusted.

You have no idea how DW works, so what is the point of replying I ask myself.

As stated earlier: on our Vistax64 the security is formed by UAC - Norton UAC control, Software restriction Policies thriugh Sully's PGS (deny execute user space, LUA of all internet facing aps, excluding IE8, since it starts with lowes rights = protected mode) and MSE.

With the added security/contingency features of Vistax64 (over XP f.i.), I am sure this is a pretty solid set up. UAC/SRP is good prevention.

 

SSJ,

We have a history of teasing/challenging each other. Consider it a tease gone bad. I do not want to sound arrogant, neither am I bitter towards you. Something is lost in translation, my sincere apologiies


With DW v3 it is quite simple for my wife.

I have password protected DW's setting.

With DW3 you can tell DW to use a whitelist, when you apply the white list, you can choose on which threatgates it is valid. So when she installs from a USB drive, one of the browser download area's AND it is white listed, DW automatically allows the install as it was a trusted object.

All other installs will fail when the install needs admin priveledges. In daily practise a failed install will revert the installation process (at least this is what always happened in our experience - I can check this using the logs/roll back list). When you want to allow such an install, you have to manually set this object to trusted. This requires a password (same as run Admin would do).

So she even gets less error messages than running LUA (in which whitelisted installs needing admin rights would also fail with a message).

Also DefenseWall is the most quiet HIPS and FW available on the market to my knowledge (the white list is also used for outbound traffic when you choose to apply it).

So using arguments like granular control and flexibility ONLY applies to DefenceWall when you are a fanatic user of the resource protection feature of DW and have set resource protection notifications on (otherwise the user will be silently protected).

Also Ilya has implemented a lot of my resource protection features out of the box (e.g. denying other untrusted programs access to you web address book or email folders).

There is currently only Resource Protection rule which I use extra (compared to the out of the box setting f DW). Maybe you remember the bufferzone trojan test. The trojan thinks there are no files in My documents, because resource protection prevents it from reading my Documents.

You can consider resource protection of DW as advanced ACL on steroids, same as DW itself can be considered as a SRP as basic user on steroids.

So we are not having a disagreement on the benefits of policy management. As said on x64 I am quite happy with UAC + SRP (when GeSWall will be available on x64, I will gladly add this to the setup and remove ThreatFire).

Again: sorry for the tone of voice in the posts

Regards Kees

 

True,

Stability (up time), cost and legal.

Standardisation reduces cost, LUA is a form to increase standardisation

There is also a legal aspect. In some countries you can only claim damage when the person inflicting the damage could assume in all reason that his actions would cause damage. Because computer security is such a grey area, judges sometimes check whether the company acted as a 'governing parent' to prevent the employee from making stupid mistakes (or at least bring hiim/her not in the cicumstance to make mistakes). Because security is such a grey issue and related issues like privacy and non-disclosure sensity data are so complex by thereselves, it is best practise to setup all employees as LUA (in most European Union countries).