Choosing anti-malware software: the dilemma of alerts

A couple of friends will be purchasing new computers later this year, probably with Vista. One may wait for Windows 7. I'm looking for something to prevent remote code execution exploits. Many of the products discussed in this forum do that, but all I've seen lack one of my requirements: Default-Deny alert. The ones I've seen require the user to make a decision.

Here is an alert of the conficker worm remote code execution USB Autorun.inf exploit, posted in another thread.
The alert displays as soon as the USB drive is connected:

This is typical of alerts in other similar products as well.​

Does every one here know what rundll32.exe does? What types of files it executes? Could this possibly be a normal action for rundll32 upon connecting a USB drive? Or when opening a MSWord document? Or when surfing the internet? If normal, then why the alert? If not, then why not Default-Deny?

Perhaps most around here consider themselves knowledgeable enough to make the decision that a trusted application, rundll32.exe, might be loading a malicious DLL, CPL, and so Block the action. For home users I've helped -- and I would guess most average home users could be included -- they would have no idea what is going on, or what "Process Patching" and "Code Injection" mean. I've heard the terms, but can not explain them in detail. Who cares? Is a knowledge of that necessary to secure a computer? I've not found it necessary.

One Default-Deny solution is Software Restriction Policies. I discussed this recently with Lucy, who had this comment:

In remote code executions, if an alert displays, for best security, there should be no option to "allow."

Tlu ran a USB Autorun.inf test for me and sent me the screen shot:

"Windows cannot open this program because it has been prevented by a System [software] Restriction Policy..."
​

Lucy ran my test where a MSWord document attempts to load a spoofed DLL:

"Error in Loading of DLL. This program is prevented by a Group Policy..."​

With a Default-Deny alert in these remote code execution situations, there is no opportunity for the non-technical user to make a wrong decision.

It occurred to me that perhaps there are other products with Default-Deny execution prevention, so I've attached a ZIP file with my MSWord.doc and Autorun.inf tests, using a Win2K version of the hmmapi.dll file. This is not malware. If the DLL loads, it starts the simple Mail MAPI Process and an instance of Microsoft Internet Explorer:

​

No malware involved.

If you know of a Default-Deny product, you can download my file (rename .txt to .zip) and run the tests and post a screen shot of the alert message.

For the autorun.inf test, you will have to enable Autorun. I use Autorun.inf as an easy way to demonstrate remote code execution. Recent PDF and Flash exploits use a type of remote code execution. It doesn't matter what the trigger mechanism is: they all attempt to do the same thing: download malware.

And they all fail with a secure Default-Deny solution in place.

Thanks for your time, if you do this test.


----
rich

 

Hi Rmus,

I see two problems with the alert in the first ss:

1. What process is rundll32.exe trying to manipulate?

2. What is meant by manipulate? Is it trying to launch the process, or control it in some way?

BTW, what is the program giving that alert?
Thanks!

 

Information or better yet, identification is the key variable in being duly informed that a potential PC disruption threat is looming within seconds if allowed to proceed.

For example in my HIPS the app EQS will alert to anything that Rundll is about to activate but it also will indicate clearly in english on the alert box not only the path but the file name which most of (us) would immediately be suspicious when faced with a file name such as in Rmus's example extension of .bkx or the real Conflicker file jwgkvsq.vmx

Now that may be a piece of cake for experienced users as Wilder's and other security forums members but a simple normal user likely would just allow it unless their machine was either #1, equipped with the security technology (program) to automatically intercept and delete it as by now most AV's/AS's should all be aware of, #2 incorporate some form of an Anti-Executable type security program or even virtual system, both of which would require some learning how to manipulate between protective mode & open mode, or just keep it a static system which in all likelihood would prove much too restrictive.

Getting back a little more on topic, sometimes in MAMUTU'S case here, just blocking the behavior may not be enough but rather a better choice could be to block the program (terminate it) completely. Then investigate thoroughly what is trying to run.

This is what gives EQS for me as a HIPS so much control, i can (Block "and" Terminate The Program") alerted to if it appears suspicious and begin an investigation to eradicate the file because the offending path is already been indicated & logged and it's just a matter of deleting it.

I use both Mamutu & EQS as double trip wire of sorts against new or unknown potential malware intrusions.

AS far as why and just what Rundll32 runs is IMO the way MS coded some of it's extensions to use Rundll32 to activate certain apps in similar manner as VBscript can't just run on it's own but needs wscript.exe/cscript.exe to launch it and whatever is coded in it.

I know i'm leaving out a lot of what's needed to learn more on this and other file types so other's more familiar can offer a much clearer picture on the ins and outs of it.

Thanks for the sample Rmus, gonna try it with just Mamutu myself and see what develops.

EASTER

 

Wat0114,

These are wrong questions.

M$, with Vista, has made the first step to the Linux world of security, where programs are written to be usable, and even installed under limited user account.

What Rmus said is that it shouldn't exist any trusted program, well coded, manipulating system componants. Therefore, any such behaviour has to be denied.

As an exception, one has to go to the admin account to allow once and for all the strange behaviour of a given trusted app, once and for all. But it has to remain an exception.

 

Hi lucy,

sorry to disagree, because I still want to know what is being manipulated and how exactly rundll32.exe is manipulating. Rundll32.exe does serve some non-malicious purposes in Windows. sorry if I'm missing the boat but what if you default-deny a legitimate manipulation, crippling the program in the process?

BTW, I'm just trying to learn something here, therefore my questions

 

Hi wat0114,

If an experienced user like you can't figure this out, how would an average home user?

Here are two other alerts from the same exploit:

​

IMHO all of this creates an unnecessary burden on the average user, requiring her/him to make a decision!


----
rich

 

Hi Rmus,

I asked the question because the alert in post 1 does not show the target Also the alert only specifies "Manipulate" but it does not state how. A good HIPS will show more info, such as what I'm using and obviously Comodo in your last post. BTW, when it comes to malware and how it functions, I'm not nearly on your level or that of some others in this forum, but I can eventually get the gist of things.

 

UNless the user blocks all instances of rundll32, the alert is not about rundll32, rather, what it is attempting to do. In this case, load a DLL -- with spoofed file extension -- not already on the computer, and from an unauthorized location.

If it were a legitimate rundll32, function, such as opening a Control Panel Applet, no alert should display.

But to have to analyze all of this in this scenario should not even be necessary, in my view. The alert should deny by default, precluding any of this.


----
rich

 

It's not necessary to know much about malware to protect a computer. All that is necessary is to understand the various methods by which malware (I prefer the term "unauthorized executables") can install (we'll omit user consenting to install something and focus on remote code executions -- drive-by downloads, if you prefer.)

My point is that a good Default-Deny solution in place to prevent remote code executions of malware precludes the necessity of technical knowledge and having to analyze an alert and make a decision to Allow/Block.

The people I have in mind know nothing about rootkits, hooks, etc, but understand the basics of protecting the computer against unauthorized intrusions.

SRP comes as close to the ideal of this for users with Vista, Windows 7, as far as I know. Hence, my asking for other suggestions!


----
rich

 

True enough. My approach is pretty simple yet effective: if I see something I'm not expecting, it isn't allowed to continue. I've been using HIPS for a few years now, and in truth probably more as a learning tool than one for security. The one I'm using, Malware Defender, can be set up to default deny, but it might be overkill for those with basic needs.

 

I don't know much about HIPS at all, but from reading some of the threads here, it appears to me to be more than I could expect from users who are used to simple Default-Deny solutions.

----
rich

 

I prefer another approach altogether, rather than any anti-malware or default deny. For me, any HIPS, or even default deny is just too annoying. I think I could answer prompts intelligently, but I don't even wanna see 'em. There are bound to be system things that need to happen when I'm just using the PC or installing something or other, and I hate popups or having something fail to install or execute etc.

I would prefer just having a good image around, or even a full reformat/reinstall of the OS (I can do a full Vista x64 reinstall, update and config in 3 hours, and an image restore in much less time). In the rare event that an unauthorized executable or drive-by actually hits me (never ever has this yet happened in 14 years online), I'd rather take the hit and start over, than deal with failed installs or actions, or HIPS popups, and so on.

Just my preference... I like my daily life to be easy and non-annoying...

 

but at least ''you'' know you are very well protected and secure

 

Just one example, not the Conflicker type but on the same priniciple, that is Rundll32 and how EQS my HIPS offers detailed IDENTIFICATION! just like other well-rounded security apps do.

 

Absolutely the majority of users will benefit more under your suggested approach. They don't want all kinds of alerts and would not want to bother trying to figure them out.

For me, I crave the alerts It's a hobby I guess. It allows me to see the inner workings, at least to some extent, of the O/S. I find it interesting to see how the diffderent common Windows processes interact with one another and the influence they have on others.

And this is what I like to see in an alert: details.

This is also, imo, an excellent approach, especially for those who surf unadventureasly, as it were, and obtain their software from trusted sources. Imaging software is indespensible imo.

 

Sorry, your question deserves an answer. How about Anti Executable? You use it don't you or is the recent version not to your liking? I seem to remember a thread where you discuss this.

 

Dunno how Vista does it but if anyone wants to try Rmus sample test, replace on your %SystemDrive% the stock .inf for his and drop the test file, then use Task Manager or APT to close explorer and restart explorer again. Then it should be ready to run once you open the My Computer and especially open your C:\ drive it should start.

Same in reverse when done testing, replace the test "autorun.inf and remove the hmmapi.bkx file" with your stock normal one, close explorer and restart explorer again.

This is just on testing it with your C:\ drive "IF" you got autorun enabled.

Just a good word of interest here, i use AVZ Antiviral Kit to search out and expose for me any basic vulnerabilities like anonymous user, admin $shares, and services that could attract remote code excution, etc. This is a wonderful tool to better seal any potential insecure openings that might exist on your good machine. I found quite a few myself on plenty of drives/systems that i use from time to time.

 

For information:

GMER, and SystemShield from usec.at - after the first one-two days, leaves no warning ( if you do not have a malware in the vincinity ).

NO warning, NEVER.

Yes Kerodo, my also: I like my daily life to be easy and NON-annoying. With my defense.

PRO

 

As soon as i replaced files with Rmus sample, sure enough Rundll32 activated the file and this is my screenshot on "ALLOW", but weird thing is it did open IExplorer but brought me to....

One Windows Live ID gets you into Hotmail, Messenger, Xbox LIVE — and other places you see

Was this by design?

 

Hello Rmus..Without much ado, appguard suits your needs(caps included) without the need for user interval..I believe DefenseWall could be configured to do so as well,with a very simple rule in resource protection module..Altough it passes such sort of threats if u select removable drives to be handled as untrusted..


appguard proof:
http://img14.imageshack.us/img14/10/54982140hc8.jpg

http://img12.imageshack.us/img12/966/22094713qp5.jpg

 

If anyone is a EQS HIPS junkie like myself, Alcyon, and a few others, theres a super cool ruleset that guards the %SystemDrive% from any changes whatsover and that kills Conflicker right out of the gate or any other dropper for that matter. I call it FolderGuard It's impenetrable!

 

You always have convincing arguments about default/deny solutions, and AntiExecutable is probably the only program that can't be fooled by any malware because of this very simple principle. People often forget that denying a legitimate download can be as bad as restarting the process and allowing it eventually. Whereas allowing the wrong process could involve re- installing Windows...

AE worked very well with XP, unfortunately with Vista it doesn't allow some programs to run properly (in my case FirstDefense PC Rescue, which I use for other purposes than strictly security).

I've tried SRP with Vista, reading posts from you and Tlu it seems the most logical and natural way for Windows to protect itself by simply implementing policies. Unfortunately, to work well with SRP, one needs to have some kind of knowledge at least to know that when something isn't right, it might have something to do with SRP. I had some strange behaviour at the time (I'm sorry I can't be more specific), and not knowing what the cause was or what to do about it, I resolved the situation with an image I had without SRP. Needless to say the problem was gone.

Finally IMO, Vista has something that is very close to default-deny, UAC which I find excellent and extremely simple, and has already proven itself to be very effective against rootkits. But guess what: some people can't stand Vista because of UAC.

All in all UAC + Virtualization for my needs and activities is easier and more practical than SRP. I completely agree on the general security approach that if in doubt, denying any download is the best protection.

 

The people I'm referring to use AE version 2. Unfortunately, rather than updating it for Vista, Faronics completely redesigned the product for its version 3, and I cannot recommend it.

In terms of ease of use, AE2, upon installation, creates a White List of all executable file types on the computer automatically. No other executable file type can run unless the user consents to disable AE and then install. This in effect is creating a Default-Deny policy for the computer.

You can see how simple this is and no technical knowledge is required. Even in SRP the user has to create rules/policies. Not an easy assignment for the average home users without some help.

AE version 3 on the other hand requires the user to create the White List, lists only application executables, and is no longer Default-Deny except in one case, where in an institutional setting, excluded users do not get the option to allow. Otherwise, for home users, if an unauthorized executable attempts to run:

​

So, you are in the same boat as the HIPS people where you have to make a decision.

Since AE3 no longer blocks all executable file types, you have the potential scenario where a trusted application can run a malicious file, a la conficker and rundll32 loading a DLL. AE3 does not block DLLs or any other executable file type that might be loaded by a trusted program: SYS, OCX, etc. AE3 is useless in these scenarios and the user might as well get a HIPS program.

If you have been following the Windows 7 beta development, you've noticed that this weakness has been shown
in User Account Control (UAC):

Second Windows 7 beta UAC security flaw:
http://www.istartedsomething.com/20090204/second-windows-7-uac-flaw-malware-self-elevate/

That can never happen with AE2.

UAC, of course, only comes into play after an executable runss and then attempts to make a change to the system:

Criticism mounting over Windows 7 security
http://m.news.com/2166-12_3-10156617-56.html

In cases of malware, presupposes that malware has somehow downloaed/executed and is now attempting to make changes to the system:

http://www.tweak-uac.com/home/

From the standpoint of secure prevention, this is totally unexceptable. For users with a Default-Deny setup already where the malware is blocked from executing at the gate, Remote Code Execution Exploits cannot run, making UAC irrelevant.

@chris2busy, PROROOTECT: thanks for the information. I'll check out those products.

@Osaban - thanks for your comments. Your experiences unfortunately have occurred with others. There seems to no longer be a simple solution for the average home user. You can understand my predicament, where I've been used to easily setting up secure protection for people against manipulatig any unauthorized executables.

I'm not that anxious to learn SRP myself. I've asked Tlu and Lucy to consider writing a simple, easy to understand tutorial for setting up the basics of SRP. Whether the non-technically knowledgeable home user can implement it remains to be seen.

Might as well have them start over and learn Linux!


----
rich

 

If you want the action blocked by default, why would you also want to see an alert? IMO, that would be as annoying as a firewall that prompts you for every port scan it blocks. On my 2K box running SSM with the UI disconnected, if the user tries to launch something that's not permitted, the message is simple: Access Denied! If it's another process that tries to launch an unknown, there's no message at all. With the UI disconnected, the user isn't prompted. No prompts = no decisions = no mistakes.

Regarding rundll32.exe, I configured SSM to block it when the UI is disconnected. IMO, most of the legitimate purposes it's used for should be classified as administrative tasks, like the modifying settings in control panel applets or the opening of files with non-default applications. On my 2K box, I've had no issues with this setting and it prevents its being used maliciously.

 

Personal preference, nothing more. I don't equate the two as you do. Anyway, as in a firewall, AE provides the option to suppress the alert message if desired.

What is SSM? A search brought up lots of hits with those initials.

thanks,

----
rich