If you don't use an AV please post your Security Setup

Windchild explains all of this very well, much better than I could. If you are going to try a LUA, consider installing SuRun, which makes it a lot easier to operate as limited user. What this does is get you as close to the Linux sudo principle as you can get in Windows. There's a very good tutorial for it here, written by Wilders own resident Linux guru, mrkvonic.

If you get used to that, which isn't difficult, you may want to take another step and try a software restriction policy to go along with it. Here's a simple and concise guide to setting it up.

Properly programmed software will work fine in a LUA. There are some things which really do require admin rights, one example is Image for Windows. With SuRun this is no problem, right-click->Start as Administrator and it's good to go. Something like a registry cleaner will obviously also need admin rights, but it's the same procedure as above. The good thing with SuRun is that you remain in your user environment in contrast to the Windows run as, which literally takes you to the administrator's user environment.

I set up a computer for a colleague of mine who is not a safe surfer and at the same time not very knowledgable. I set it up with LUA + SuRun and explained to him in about 5 minutes how to use it and he has had no problems with it at all. Give it a whirl and after about two days you won't notice it anymore.

 

Notes:

you can't use Software Restriction Policy if you have Windows XP Home, Windows Vista Home Basic, or Windows Vista Home Premium, but Limited or Standard accounts are still strongly suggested. Try them out; you can always go back if they don't work well for your needs.

 

Actually you can.
There are some "hacks" to use SRP in the home versions.
In HP, you can easily modify the registry, the only problem is that you don't have a group policy editor.

For me.
I use WinXP Pro SP3.
I use SRP + Chromium with dropped rights.
For the rest I have a hardware firewall and some manual tweaks to the system.
I have disabled some services, used bugoff and various other tools.
I also keep my system backed up and if I really think I need some extra defense, I also have Returnil Premium and Shadow Defender available.
I feel very safe knowing that I always can fall back to a virtualisation software or a backup and that most malware won't even run on my system because of SRP and my secured browser/OS.

 

There are some "hacks" to use SRP in the home versions.?how?i have an hp xp2

 

Here is the thread for those who are interested:
https://www.wilderssecurity.com/showthread.php?t=200772

To be honest and precise:
I don't know whether Vista Home can have SRP.

 

thanks

 

Here is the Vista thread on that subject - long read, though.

https://www.wilderssecurity.com/showthread.php?t=232857

 

i need the xp home one

 

That would be the one linked by Demonon. Both threads are worthwhile reading, though!

 

thanks again

 

For XP, only this should be done:
https://www.wilderssecurity.com/showpost.php?p=1413066&postcount=134

No need to install any external compoment on program.

Actually, the reg files work for both of Xp and Vista versions.

 

thanks

 

LUA, I mean to me what is the big deal. If you have a PC that has some kick, none of the apps I have tried have slowed it down, nor have I yet to be infected.

And the wheel goes round and round.

 

Hmm. Interesting thread here.

How does one choose between LUA or Admin? On one hand you have the ability in LUA to go about daily business without your account being able to muck with specific objects and containers (that is, files and directories). Programs that are coded according to proper specifications would place objects that needed to be changed in the users profile directory, where the user (being a limited user) would have rights to modify at will. This would then keep the program files (.exe's, .dll's etc) safe where the user cannot modify, but still allow configuration etc changes. This is how it is supposed to work.

Enter the real world. Many programs do not conform to such specifications, thus the need to elevate with RunAs or SuRun quite often, or just run as an Admin.

The best statement, and I cannot remember now who said it (sorry) was very simply put. For those who do things WITH thier computer, often LUA poses no great problems. But for those who do things TO thier computer, LUA tends to be a pain in the bum. I agree with that statement whole-heartedly. I think it best captures the crux of this LUA vs. Admin debate that is not only here at Wilders, but very much abroad. Seems Vista has spurred that to higher levels that it used to be.

Suffice to say, that if you use programs that primarily adhere to a multi-user approach, you can probably use LUA with little discomfort. Tools like SuRun help tremendously. And it is definately going to give you a better base of security, there is no question about that.

However, if you (like me) are constantly messing with the OS, or like programs that are not designed specifically for a multi-user environment, then LUA is nothing more than a nuisance.

I do believe that most peeps should be using LUA, that is, peeps who have no interest in computers really. It would decrease the amount of garbage that goes around.

But, you must also look at the other side. If all it takes is elevating a users rights to admin rights to start some executable, how are you then to be protected? Antivirus or HIPS or other tool?

The end result is that at some point, to install something, you must give it admin rights. You are owned then if you don't know what you are doing. I don't care who you are, you have to give admin rights at some point. The question is, do you trust the executable? How can you tell?

These types of threads really cannot prove anything one way or another. I was chided not long ago for mentioning that these things are all based on opinion. And I believe they are. You can run LUA or not, and depending on your level of skill or knowledge, be fine in either.

I think most who utilize LUA or SRP or other measures similar, whether from Admin or LUA, are just trying to find some combination of security that offers them some freedom from all the configurations and popup windows that are usually involved with HIPS and such. I know that is one of my primary goals.

I think that with the talk lately of POC attacks that get past virualization, all of this is a mute point. If something escapes SBIE or vmWare or Rnil or RollbackRX or ShadowDefender/User, then where are we at? lol, IMO we are down to imaging as the only means of truly knowing you will not be owned.

I like a lot of these tools mentioned here, and wish I could run in LUA everyday, but my habits and methods and programs really don't allow me to. And I have put a LOT of effort into how I can be in LUA. Countless hours testing, tweaking and coding.

Threads like this, if kept civil, are super learning threads, if for no other reason they spur new avenues of thought.

Sul.

 

My decision to run as Administrator was based on the following:

Malware cannot do any damage unless it installs. The two method of installation are

• Remote code execution, aka drive-by download
  
  
• User grants installation privileges

The first method is the easiest to prevent. The second is more problematical, and my solution is to purchase/download only from vendors, and check around to see other's experience with said software.

I confess to not understanding this scenario. How does this 'elevating of rights' happen? It seems to me that some malware would have to install.

----
rich

 

the answer is

as in, the user chooses to elevate because to install some application, you must be elevated. As you state, if you don't know the executable is to be trusted, then it might not be trustworthy. Thinking along the lines here of someone downloading program X, then wishing to install it. Without HIPS or AV or something, they give admin rights (have to) and install it. Game is over if executable is malware or other such nasty thing.

Sul.

 

I think this is very very useful to remember. I found this myself with my latest setup.
At first its more inconvenient than using an AV , but I understand exactly what it can and can't do, & how it protects me.
So think the inconvenience is worth it.

Its much easier to remember how it all fits together too !
So , ok , new exe and dll are blocked.
Turn AE off to install something ( at my own risk ). TF can catch some suspicius behaviour on install.
Worst case have an - old - image.

No software to learn , compare settings , wonder about will it stop this POC or that exploit ..

 

Got it! Thanks.

1. Disregarding fake codecs and flashupdate stuff, what would you choose to install that could be malware?

2. What alert would a HIPS give, and how would you determine that this action during the installation was not legitimate?

rich

 

You are on the same page..

1. What I would choose to install (after installing in SBIE or vmWare) would be a tool that is useful, a program that is useful or something that is useful. In short, lol, something useful. What others might install would be some new mahjong game, some new mp3 player, some new super duper gotta have it download it now coz it rocks program. Or, maybe it is just pirated software, a game crack, a keygen, etc etc etc. All the stuff that peeps just download and run.

2. HIPS, if you were informed, would give you exactly what the executable was doing. Going back to PG days, you could, if you were saavy, allow installation only to a point, then use PG to kill the process because perhaps you seen it wanted to write to registry or something. Firewalls are the same way, where if you NEED to know what is coming and going, and you are saavy enough, you can do just that, down to the gnats behind if you so desire. HOWEVER, if you don't know your system, don't know how to use a HIPS much less want to, then the executable does what is wants. And since you just downloaded that super duper new crack for WOW which promises to level you up on 1 week, you just gotta use it. You run it, a message pops up that says 'U R Dork. U R Pwned. U lose. Have nice dye.'

lol, when you elevate to root rights, which is needed in so many instances, you are taking the chance every time that what you downloaded is either good for you or bad for you. Eh, I don't have an issue. Many here might not because they understand how to spot things that you don't want to touch. But others, well, peeps do like to click and run, and ignore things like UAC. And when they do, they may or may not have a program that will do them right. lol, strange how it all works.

Sul.

 

Nice informative Post Sully.

Microsoft Windows Vista before Microsoft scaled back Vista to be compatible with the lagging World, was designed to outright deny installing or running executables that were not Digitally Signed.
I do not know if Microsoft Windows 7 enforces this rule now or not.
To answer your question "Do I trust this executable, how can I tell?"
Currently the only way is by Digital Signatures, if it is not Digitally Signed, do not install or run the executable. I never run Unsigned Software.
Now, some vendors Digitally Sign the installer but fail to have other executables within the program Digitally Signed. This is where the rule in Vista was supposed to protect.
No Digital Signature, Access denied. Also is the issue that executables can exist forged Digital Signatures. Again, the original full blown real Microsoft Vista was able to detect forged Digital Signatures.
I hope this feature is strongly enforced in Microsoft Windows 7.


HKEY1952

 

I got that far and suddenly my eyes became a bit blurry and I felt a headache coming on... I thought back to years ago when I considered PG and looked at the PG forum here, remembering all the questions about alerts, Should I allow one instance, or full access?...

I admire people who can use these products like PG and understand what they are doing. (Now they are even more sophisticated.) I am not saavy with things like this. I would rather put my trust in the vendor's reputation and user reviews. Well, that's been my way for 20+ years - a bit old fashioned, I'm sure!

What are peeps? Sounds like you are describing a chicken!

----
rich

 

I used PG, still is one of my favorites. I think there are certain people that just really want to know everything that happens. I don't know if they are control freaks or just very curious. I used to use PG along with other tools. Firewalls with tons of custom rules. lol, a program could not go to the bathroom without my knowledge. But as time has gone by, I realized I don't need to know everything, and that in the 'vigilant' years, I really did not see much that I needed protection from. Now I don't sweat it much, and just keep looking for ways that are as native as possible, as free as possible, as light as possible and above all as least chatty as possible.

peeps lol, is peoples. A term I picked up from LAN parties.

Sul.

 

For the question of "How do you know what software to trust?" the answer is extremely easy. Use your head. Consider the obvious: who made the software? Are they good guys, trustworthy? Who distributes the software? Are they trustworthy? Are there any credible reports of the software being badware?

Hmm, looks like I just downloaded a program from Microsoft. It seems to be digitally signed by Microsoft, and is apparentely called Process Explorer. Well, no-one seems to be saying it's malware, based on a quick Google search. I guess I'll install it and see how owned I get.

The issue of having to choose the software you trust exists for people who use LUA and for people who use any other possible security measure. If you use a HIPS and an AV, if the AV doesn't beeb, what do you do? Do you put your HIPS into install mode (or in other words, don't ask me questions mode) and go ahead? A lot of people would. Or do you install with the HIPS at paranoid, and see what happens? If you do that, then you can't really claim that installing software in LUA is a pain! Installing software with a HIPS screaming blue murder all the time about every autostart registry key and service that installer creates is a lot bigger pain in my experience.

But really, who here has had trouble with knowing what to trust? I sure don't. And if you're feeling doubtful, you can always say no if you're entirely sure. If you don't know it's safe, why should you have to install it? Questions like this do lead into the obvious conclusion: again, the user is the biggest weakness. If the user trusts something he shouldn't, then bad things can happen, no matter what the security measure.

 

Hmmm, now what have I got here I wonder?
AVCare_Setup_Free_en.exe received on 2009.07.26.
Result: 5/41 (12.20%)
File size: 790170 bytes

Better install and have a look.

Ah, a new rogue found by "The Great White Malware Hunter". Grab droppers then delete contents of sandbox and upload/report. So damn easy and secure in a full blown admin mode.

 

Why would you have to wonder? The name alone (AVCare) tells me it's a rogue anti-malware. And spotting that takes a fraction of a second.

If I'm going to do malware analysis - which is something most computer users neither want to do or should do - I'm going to either use VMWare or a non-virtualized test system for those malwares that will not do their job when they spot they're being run in a sandbox or virtual environment (yeah, these are around, as well, and typically they target the most common stuff like VMWare, and yes, Sandboxie, too).