Approaches to security - do you have one to share?

Do let us know when this security for the brain dead appears.

Until then though, looks like we are all in the same boat, so while each might choose a different style oar, we are hopefully all paddling in the right direction

Sul.

 

@Hungry Man,

Your security "vision" only works if the individual(s) using the machine is a true "user" as in no admin rights granted - ever - and no one else has administrative control over it - ever.

Your security "vision" fails once you introduce and accept the fact that from time-to-time, someone has to take administrative control of the machine and install software, updates, patches, and employ common administrative tasks.

If a computer never even once required administrative input, then your dream vision could become reality

 

So... tell me... what kind of technology do you think would save a user from installing something? Do note, the user WANTS to install it, either deliberately or deceived to install it, thinking he/she needs this something. That's the key word. I'm not talking about drive-by downloads and crap like that. The user WANTS to install it.

What protection would you come up with that would ASSUME the user WILL install whatever he/she wants, and become infected... and that would protect the user? Behavior Blockers/HIPS/etc are out of the equation... we got them already, and they're not suitable for most people. Antimalware apps... we also got them... They're suitable... but far from being perfect.

Something that monitors behaviors/patters, silently and then alerts the user for malicious behavior? Something alike AVG Identity Protection, which is what most people would be willing to deal with, due to its nature. Then again, not perfect either... and a whitelist is still needed for those applications that have similar patterns to know malicious patterns. Also, these malicious behaviors would have to be known.

 

Yeah, that's exactly the situation I'm talking about. The user thinks it's a keygen they want to use (so naturally they let it through their AV/ typical crap thinking it's an FP) or whatever.

Sandboxing is one thing. Restrictions on behavior. Integrity levels are another. Just constant restrictions on the application to minimize the damage it can actually do while still allowing it to run.

EDIT:
For example if you see videos reviewing antimalware products, you'll something like DefenseWall or Sandboxie actually allows the malware to run... but it can't touch the system. So the user can let the product install and everything but they aren't in danger.

The issue is compatibility. You have to restrict across the board while still keeping your regular stuff working and that limits how much you can restrict. That's why applications should be looked at as "known" or "unknown."

EDIT2: And Admin isn't an issue. Admin just means they can write to admin folders/places - as long as they can only write to their own folder why is that an issue? Linux gets around most admin issues with software distribution, the only thing that needs admin is something that you know you can trust.

 

It doesn't have to be a keygen. It could be what they think is Adobe Flash Player. The website tells them they need to install it in order to watch the video, they click the link and install the malicious file. If the antimalware is able to detect it, then, hopefully, they will stop a second and think whether or not it's malicious. Or, they will think Hey, I have Flash Player installed already... What the heck?

So... common sense does need to be an active part of the security chain.

ILs don't play a role in such scenario. If the user is downloading something, then the browser needs to allow the interaction between lower integrity levels and higher integrity levels. If the user couldn't download whatever he/she wants to download... Well, I can't even imagine their reaction.

For a very good reason the browser's (IE and Chrome) have a broker process, either running at medium or high integrity level.

While they're great in their concepts, perhaps not what most would want to use... as a technology to protect them.

Imagine the fake Adobe Flash Player scenario. The user believes he/she must install the application. Obviously, the user wants the application to be kept in the real system, otherwise he/she will have to install it over and over again, correct... Whether it's a fake or not, not really important... What's important is that they want to keep it in their real system.

Heck, I keep Adobe Flash Player in my real system (I never really tried to install inside Sandboxie, so not sure if it would run fine there. ). I want to be able to use it when I need it, without having to bother to install it over and over again. But, I have the common sense to know that Adobe does have an official website where I can download it from.

 

The issue is the way UAC is implemented. Once you elevate something, UAC gives full access.

For example, I'm against having to have to protect AppLocker settings, and other stuff with the same UAC. These stuff should be protected with another mechanism. But, it's not. (Edit: What I meant is that, when installing something Windows firewall, etc should be off limits.)

For most applications, the only permissions that would be needed would be access to Program Files and a few registry keys. Nothing more. The problem is that once you elevate something is open way to whatever it wants to do.

Will Microsoft change this? I doubt it, because if one UAC is already complicated for most... imagine more alike UAC mechanisms. lol

 

Keygen was only an example. And the reason I am using it is to show how often people bypass their own security software saying "Hey, this is a virus" just because they think "Oh well keygens are always picked up as false positives." There are other times when the AV simply won't pick it up at all!

I don't understand your point. The idea behind IL is still to limit programs - I'm saying it's a step in the right direction.

When I say sandboxing I am not necessarily talking about full file virtualization. There is no "real" or "fake system." Flash gets installed as always.

Sandboxie is the CONCEPT I am going with, same as defensewall. It is not the exact program I Would implement. Obviously (as I stated) there needs to be tweaking because if everything was sandboxed there would be issues.

Like I said, there should be more restrictions on applications. An applicaiton should not get free reign. Even in userland they can do a ton and in Admin they can do nearly everything.

UAC is not the only issue. Every single application is given way too much power. If each application was restricted it would be different.

Like I said, look at a DefenseWall video, they manage to keep themselves safe from malware while allowing the malware to run. There would have to be changes and it would have to be complementary to other security measures but the idea is the same - the user installs malware and it can't do anything to the system.

 

They should be able to. What I meant is that if I install Java and then I install malware and that malware tries to install to my Java folder the Java folder is either virtualized or denied.

Honestly, I'm not here to rewrite the entire security scheme of Windows lol but there are concepts that we already see in programs like Sandboxie and DefenseWall that, if implemented and tweaked, would secure the user against socially engineered malware.

Whitelisting would be nice. Microsoft has mentioned an "App store" for MS. If you separate everything into "trusted" (certificate) "App store" (downloaded form app store) and "Untrusted/unknown" you get more security. But again, even certified applications should be restricted AND protected.