Features ProSecurity Free - SSM free

yes it will be alot easyier.

 

Hi herbalist,

as I'm still in the learning curve of using SSM, could you please answer the folowing questions?

I saw that SSM allow to add rules to files / folders ( rightclick on Application Rules > Add Rule for file / folder). I don't remember to have found information about these features on the help file. Do you know what are they good for? What can be done with them?

Could you elaborate a little more on this point? How do you know that a rootkit is likely to be installed, if it cames bundled with other software for instance? Sony's rootkit comes to my mind. So at wich red flags do you look?

 

just want to know if anyone try zone alarm free with ps free, and is this ok? i know people like comodo, and i think it is good, but with ps free for protection would not zone alarm free be good enough?

 

WordWard,

When you have a hardware FW, try SensiveGuard, see the review

 

thanks kees1958, i not sure though it is for me. not afraid to try zone alarm free. using comodo it is nice, but don't think it needed with prosecurity free. pc tools was nice firewall and used only 4000k of memory, but sometimes would lost internet connection. i used zone alarm free before and liked it, just not sure how new version will work with prosecurity free. i like ps free it is very nice and low on memory so far. not sure if i will like it more than cyberhawk though. will soon take it out of learning mode to see.

 

Rootkits get into your system the same way any other adware or malware does. The only real difference between a rootkit and another application is that the resulting files, registry entries, and processes are hidden from windows. Take a look at https://www.wilderssecurity.com/showthread.php?t=163087. Some form of an installer or running code is needed to put the files in place and to write the registry entries. Unlike legitimate software, the installer often runs with no visible window, but it is still a running process. While windows itself will allow any process to run, visible or not, HIPS software will detect the attempt to launch that process or new code and alert you. If the HIPS monitors the registry, you may see alerts about the new entries. Depending on the specific rootkit, that may be all the warning you get.
Regarding the Sony rootkit, no one really expected a legitimate company to use tactics like that. The AV vendors didn't add it to their detections. Whether they didn't know or just didn't tell us, you decide for yourself. I suspect they knew but were intimidated by a big, rich industry. While HIPS would have warned about an installer running, it would have been difficult to determine its real nature from the alerts HIPS gave. Other than blocking the install process, there wasn't much a user could have done. Most chose to allow it because they didn't expect malware on a purchased CD. If the Sony rootkit incident proves anything, it proves that even "legitimate" businesses will use malware or legalized malware-like tactics when there's money to be made. Microsoft clearly supports this position with its integral DRM in Vista. IMO, all commercial code is now suspect, and the bigger the vendor, the more suspect the code. Short of a full behavioral and traffic analysis of an application, there's no way to be completely sure of what you're getting anymore. Upload anything you want to install to VirusTotal and let all of them scan it. If an MD5 signature is available for the app you downloaded, check it. Monitor the autostart section of the registry at the very least during the install and beware of new autostart entries, especially if the app shouldn't require them. Unfortunately, there aren't always red flags present the average user will be able to see. The best advice I have is to make a full system backup before any software installation, not just a windows restore point. Nothing else is completely certain. Even testing the app in a sandbox or virtual install isn't a guarantee. Some malware detects the virtual environment and aborts the malicious install, letting the user think it's safe. Then when the install is done on an actual system, it shows its true colors and infects it.

Regarding the right click options to add rules, the option to add a rule for a specific file allows you to create a rule for a specific executable, DLL, or driver before it's used, effectively bypassing the prompting you'd get when it's first started. It's useful when you know ahead of time that you want to control access to a certain application, or in the case of certain windows components that you don't use, to block their operation. For instance, if you don't want anyone to use Outlook Express, you can make a blocking rule for it without ever starting it. If you have an application installed that you want no one other than yourself to use, make a rule allowing it only when the SSM UI is connected and make sure that you alone have the password.

The rules for folders are useful when you want to apply the same permissions to all the files of a specific type in a folder. It's better used for restricting access or running than it is for permitting access, such as making the rule one that blocks when the UI is disconnected. Using this feature to make "allow" rules for everything in a folder can be risky if another user is aware of the rule and copies an app they aren't supposed to run to that folder. I use the folder rule to restrict usage of a folder of batch files to only run when the SSM UI is connected. That option is pretty much for folders that you know ahead of time what type of rules you want applied to them.
Rick

 

Herbalist , thanks

I have added a rule to block startup of applications from the shared folder my wife uses to download music. I have also entered this directory as untrusted in DefenseWall (besides marking LimeWire as untrusted program).

SensiveGuard does not allow any program with internet connection (including Lime Wire) to go outbound when not initiated by user and does not allow these internet connected programs to create/change/delete any of the files with these suffixes: *.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys *.scr, *.ini,*.hta. SensiveGuard also blocks all reads on *.ppt, *.doc, *.xls, *.jpg, *.mp3 of any program when not initiated by a user.

With these measures I am trying to control the "black hole" a P2P program like limewire creates in PC security.

Kees

 

If you have a firewalled router you could get away with using no firewall. PS free offers network control to monitor outbound connections.

 

That's a good use for a folder rule. I didn't think of that particular instance as I'm the only one who uses P2P on this PC. In households where the kids do most of the file sharing, a rule like that combined with a window filter that prevents access to the folder would be an excellent precaution. That way you could thoroughly scan everything that was downloaded before any one else had access to it.

A black hole is a fitting way to describe it. I've got a collection of trojans and rootkits that were sent to me thru P2P, disguised as something else. On several occasions, my AVs didn't alert to them. The worst cleaning jobs I've had to do were caused by P2P, either by poor user practices or by the bundled app itself. Kazaa and the obnoxious bundle it came with. I'm not familiar with LimeWire. Been a Shareaza user for years. It's Open Source and isn't bundled with anything.
P2P does present several additional security problems. Their internet connection requirements are one of the bigger ones. The more security conscious users run a P2P thru an app like Peerguardian but a lot of hard core P2P users think that security-ware does nothing but slow them down, especially a firewall.
My biggest concern with P2P apps is an exploitable vulnerability. With P2P being automatically associated with piracy, and according to some of the powers that be, terrorism, I doubt that we'd be informed if a vulnerability was discovered. Such an exploit would be called an anti-terrorism tool. I'd also expect that the entertainment industry or their watchdogs have exploit code for P2P apps that no AV will detect. When they've deliberately put malware on legally purchased CDs, would you put it past them? That's one of the reasons I stay with Shareaza. Open Source code that can be checked for backdoors or bundled apps. The Open Source community also fixes vulnerabilities a lot faster when they are found.
I consider HIPS to be an absolute necessity when using P2P on windows, set on as paranoid a setting as possible, with rules that will alert to and log everything the P2P app does. Too many people and organizations targeting both the apps and their users to risk doing any less.
Rick

 

@ herbalist

Thanks for your quite instructive answers.

If I understood well, some rootkits as some malwares would be detected at firewall level when trying to communicate / being communicated by their creators, if scanning have failed to find them.

With respect to the files / folders rules I was trying to know if SSM could also do the action performed by Spy-the-spy on SSM Useage thread (post #15) to ascertain if the executable is alien or is trying to run / DDL inject alien executables, but it seems that SSM can't do the job of Spy-the-spy.

@ Kees1958

Thanks for your concrete example.

 

There are malware that have their own TCP/IP stack, so, they can bypass the firewall driver.

 

Thanks lucas1985 for the clarification. Are there tell tale signals if that's the case? Btw do the application need to install a driver to have their own TCP/IP stack?

 

Of course Without a driver, that wouldn´t be possible.
Running a packet sniffer could tell you about strange network traffic. People using Linux machines as routers install Snort to inspect the behaviour of network.

 

or even run a windows XP Vmware guest and rig it up as a router as i have done many times.

 

SSM does check the signature of executables when they run, so if one is modified, it does detect it. It does detect DLL injection. SSM isn't a file integrity or folder contents monitor per se. Integrity checking and foler contents monitoring software is worthwhile as an additional defense layer with HIPS. That said, new or modified files don't get added without there being some process running to put them there. SSM or another HIPS would alerted to that process attempting to run. The integrity monitoring would be useful to alert you if an allowed process or an otherwise undetected exploit performed that activity. For monitoring the files added by an install process, an app like Inctrl5 is better as it creates records that tell you which apps are responsible for installing each new file.
Regarding malware installing drivers, An app like SSM will alert you to the installation of a driver, but if that driver is part of a rootkit installation, it won't be visible once the rootkit is active.
Rick

 

Herbalist,

Hear hear and I would add a sandbox to it (see fig)

 

Anyone feel with the new improvements made to PS Free 1.30, that it's catching up to SSM Free in its RealTime Protection?

 

One might take you to task on file intergrity so far as the MD5 base including myself but i agree a folder/file monitor is an absolute necessity i would like to see employed. File Change Alarm is the only one i found yet that can monitor directories accurately and in real-time giving a user an immediate alarm that something is writing/changing/deleting a file while affording you time to investigate that action and do something to reverse that activity whicle theres still ample time to reverse something forced on them.

 

That is why I like SensiveGuard, it prevents the change of vulnarable files and access to your data files.