Semi-Manually protecting myself, are my understandings accurate?

Hi all,

I've been thinking about my personal methods/thoughts on the whole secuirty issues.. i've stuck w/ it for years and it's never failed me.. but i wana ask you guys, if I'm really on track here, or am i just as clueless as a dumb blond in a nuclear submarine?

To summarize, I've used comodo and a bunch of other internet suites etc for as long as i can remember.. a few years back, gaining much knowledge on how these threats work, I decided to rely less on software protection and more on manual methods... and most specially because of resource/performance impact of these Security suites etc...

Here are my understandings on the matter at hand:

1) the only file types that are a potential threat to your system are EXECUTABLES (exe, vb, etc).. JPG, video files, Music, or other NON EXECUTABLES are NO THREATS - ofcourse except for non-exec documents that has a way to take advantage of vulnerabilities of its executing/host application: i.e., Word document that uses macros vulnerabilities of Microsoft word etc etc.. but these are really RARE occassions and i can easily spot these things, so i dont consider non exect types potentially threatening in general.

2) The only way you can get a threat into your system is if you voluntarily (knowing or unknowingly) copy the threat from a source to your computer (download, file copy, etc).. or if a shared resource (like a shared/writable folder on your PC) is on a network and there's a worm spreading copies of itself to any writeable network location.....

3) .. the only way for this threat to be activated and/or actually infect your system and do damage to it is if you voluntarily EXECUTE them (knowingly like by double clicking on them, or unknowingly like double clickin on a usb drive w/ autorun.inf instructions to execute the threat).. heck i even play around w/ trojan's and viruses on my pc, keep them there so i can study them , and i know they're just files / inactive untill they're executed..

ofcourse there is a rare exception on threats that has the ability to execute itself via OS vulnerabilities and script routines etc. but again, RARE stuff..

4) .. and when a threat is active / able to do stuff on your PC, that threat will be there in your list of running programs, processes and services..

5) and that.. removing an ACTIVE threat means manually ending the threat's processes, deleting the file, and removing it from your startup entries (in the registry)...



With the above knowledge, and for each of the above I:

1) take extra precaution handling, running, installing executable file types.. and dont really care to scan or be paranoid about any other non-executable files, specially images and music files .. like c'mon, i laugh sometimes at people running scans on mp3 and jpg files.. sheesh..

I also have gotten into the habit of setting my system to SHOW ALL FILES , regular or system files, and showing the EXTENSIONS of known file types, so that i can tell if an executable is using a JPG icon to fool me..

2) I have the habit of ignoring email attachments and other things I do not need, or do not expect.. and when i do need to copy files I scrutinize each executable file .. again.. i dont care about copying images/videos/music files .. they can never hurt my system (99%)

3) for those executable files that I need to copy, install, or run, while some I would know to be CLEAN such as those being downloaded from official websites of known developers, most executables i run has the potential to be a bad boy, coz i really do download a lot, try lots of cool software for PC.. some useful, some just for fun.. and i do admit to running keygens and cracks to software that i wana try for a long time.. (im not promoting piracy here, but hey everyone does it, atleast I do purchase applications that I have found to be REALLY USEFUL after extensively using its cracked versions.. like FolderSizes,SyncBackPro, are just 2 of the many software that i used illegally for a while then purchased .. if it's really useful to me, that WAREZ would be worth the money, and if it's not, that WAREZ will get uninstalled..

anyway back to the point, I do run a lot of potentially dangerous applications/installers on my system and i never get infected because i simply:
a) run a quick scan using whatever free AV i have installed like AVG, AVAst, etc.. and for very suspicious files I run them through virustotal.com

b) if checks prove an executable is clean i install it.. then i immediately run PROCESSEXPlorer and Autoruns and sometimes TCPViewer (all by Sysinternals) to check for PROCESSES that are running that i do not recognize, startup entries that shouldnt be there, as well as check for unexpected network traffic from any of these processes...

c) for the 99%/most part, all those 3 areas are usually clean and from here I CONCLUDE that whatever i just ran/installed is OK.. and i go on w/ my life.

d) sometimes i go so much as to running the application in a virtual enviornment first and comparing snapshots of the system before and after running the app.. to see if thre's anything suspicious

4) Should i spot a process that is unknown to me, or unexpected, or as per research is confirmed to be a threat, I would simply end it, delete the file and startup entries, and study it's effects.. if it doesnt do much to my system then I go on w/ life.. if it does (Like what happened to me just recently where it mesed up my registries and task manager etc), i simply restore my system's image and have a fresh system running again.. that's so much better than running AV removal that removes the threats but can never really put a system back to it's normal state (coz there's no way AV's can reveres all the things /changes a virus has done, really)..


5) well , number 4) answered this already..


So.. for many years, I was able to protect myself w/ the above philosopy on these threats.. and I can honestly say that at least in the last 5 years, I've probably been infected 4 times only, but never really experienced major intrusions, identity theft.. etc.. i was simply in belief also that whatever antivirus in paranoid mode can do, i am simply doing more manually and more effectively (i dont need to rely on virus definitions) .. and the most wonderful thing about this is not just the effectiveness of my process as proven in many years, the fact that there's almost zero ANNOYANCE from FALSE POSITIVES! <- this gets terrible annoying w/ paranoid security suites..



Now, I may be contented w/ all this already, but I think it's about time I ask other experts what they think of this too. Specially since all this i learned by myself, by experience, and by lots of trial and error.. and reading around.. i never really had formal computer science education etc.. (i did Business / Marketing major w/c is far from what i do now in the IT industry hhaaha)


So the question of it all is, AM I IN THE RIGHT TRACK HERE?

It's not that I dont trust these AVs, infact i have very high respect for comodo, and it's cloud style, etc.. but I always felt these AVs are for the regular users who

1) dont know what to look for in a system , dont know how to check, dont know the processes well etc
2) dont have time or cant be bothered to worry about these steps.. people who like the convinience of just running something and not worry about all this stuff..

Not that there's anything wrong w/ the above, but at least for me, i felt more comfortable in being in control and most importantly not have to worry / be scared of false positives....


Right now i got Comodo suite installed, it's great, but darn it's raising all these false positives (or so i think it is).. even flagged applications in my programs archives (cracks and keygens included) w/c ive already been using for many years w/o issues...




I know this has been a long read, thanks so much for going thru this for me, and I would really appreciate your thoughts on this.......


Regards

TJ

 

My take:

On the first day of geekness, my systems installed clean
and my system is truly problem free.

On the second day of geekness, I add all of my tweaks
and my system still remains clean.

On the third day of geekness, I add utilities.
I'm loving all my tweaks and my system still remains clean.

On the fourth day of geekness, I install Sandboxie,
run utilities, still love my tweaks
and my system still remains clean.

On the fifth day of geekness, I surf the web,
using Sandboxie, run utilities,
loving all my tweaks and my system still remains clean.

On the sixth day of geekness, I start downloading files,
all from the web, using Sandboxie,
run utilities, still love my tweaks
and my system is still remains clean.

On the seventh day of geekness, I execute some files,
that were downloaded, all from the web,
using Sandboxie, run utilities,
enjoying my tweaks and my system is still remains clean.

On the eighth day of geekness, I watch my processes,
as I execute some files that were downloaded,
all from the web while using Sandboxie,
and some utilities, relying on my tweaks
and my system is still remains clean.

LOL, I have no idea where that came from. Your post for some reason made me think of that.

It sounds like what you are trying to say is that if you have a known clean state, and you are careful about what you download (where it comes from) and use prudence in what you execute, many problems are resolved. An occassional scan of suspicious files doesn't hurt, nor using a little virtualizing.

Sounds like a good plan. I would only say that the assumption that media is always safe might not be the best assumption.

Sul.

 

Wrong. You mention "knowing and unknowingly".

By "knowing", I'm assuming you're meaning the user will deliberately download something, whether or not they know it will infected their systems is a different thing, which is where "unknowingly" comes in. Is that it?

What about drive-by downloads, which require no interaction with the user; all that is needed is a vulnerability in the web browser?

Wrong. What about the drive-by downloads? They require no user interaction.

(I know it's possible to kill drive-by downloads, etc., but that's not what I'm talking about. This is so other users don't feel compelled mentioned one could do that or this to kill the drive-by downloads.)

 

@Sully

I thought i was reading some form of GEEK GENESIS or something haha .. thanks for ur entertaining input though

re Sandboxie, or sand boxing in general) yeah that would be great, except for the fact that i do a lot of stuff and install stuffs that needs access to the real system..but yeah it does help to sandbox apps just to see how it goes. . Hence i do use VMware to do this but sometimes i get lazy specially w/ small quickie aps.. (failure on my side).. but now im using comodo, and it has a very good sandbox feature.. you should try it maybe?


@MoonBlood
yes by unknowingly copy and/or activate a threat, i meant intended to do so, or didnt intend to do so but USER ACTION caused it.. meaning it's not AUTOMATIC that just because your computer is sitting there connected to the internet and you're not doing anything, it can still receive bad boys and even get them bad boys activated too.. (reserved for really bad OS vulnerabilities)..

but yes you do make a good point w/ drive by downloads... yes it still needs interaction (you have to actually visit a site or a link and stuff) w/c was really bad way back then when these browsers were so vulnerable.. but nowadays i dont think it's really that rampant.. still though goin back to my point, if you're at least AWARE of what you're doing, downloading, activating, or what site you visit, you can pretty much avoid these things..

Goin back at another point im trying to make, regarding processes.. i ran AV MW engines on my pc and i've got flags on files (not installed/just sitting there) left and right.. Trojan.Generics, riskware, etc etc. all these flags and some positive ID's on threats.. when I know for a fact that i've used these apps (and cracks/kGens) before and i even activated some of them now just for kicks and checkd my processes and newp there werent any rogue processes launched, and no rogue startup entries too.. so , can these be all considered false positives? and my gosh they're a lot..

 

Drive-by downloads don't need interaction with the user. How exactly will ABC user know that XYZ web site is safe or malicious? And, what exactly is a safe web site nowadays?

Even web sites from known and respectable security vendors have been hacked, and some more than once. So, again, what is a safe web site?

No one should ever enter or visit a web site (directly or redirected to it), using just the protection provided by the web browser, because vulnerabilities do and will exist.

I can avoid drive-by downloads, and only using the web browser (but only because it's the operating system actually providing the means), but not everyone is aware of such, or would want the hassle of doing things like me, because it does require a routine and 1% of patience for doing certain things with some workarounds, like saving urls to the system... This is how restricted my web browser is...

Reality is... there's no such thing as a safe web site... Just by visiting www.wilderssecurity.com I could be redirected to a domain hosting exploits.

Not all cracks/patches/keygens are infective. In some cases, the problem is not the source from whom these came from, but the other third-party sources that may have modified such applications to infect your system.

 

I won't comment on your entire post, but I believe you (meaning anyone surfing the net) could be vulnerable to scripts, i.e. java script which could do some malicious things. I believe they could also download and install exe unless you have other protections in place.

Also, I have read about vulnerabilities in flash and adobe reader, to mention just two. Exploits for either of those would not require downloading or executing executable type files. Click on some flash link or download and open a pdf and you could be in trouble. Mostly I associate those two with stack overflow type attacks. In either case I they couldn mess you up (again meaning anyone surfing the net) enough to survive a reboot unless you have other protections.

 

Can't rootkits hide from things like this? I thought that was the whole point of them, to get launched early enough in the boot process that they could stop themselves from showing up in taskmanager, or even stop themselves from showing up in a file search.

 

Possible? You bet:
DNS cache poisoning
Infected PC on your network brute forces into the router and changes the DNS (many don't even have a non default password or the webui has a vuln) or it can start ARP spoofing.
bbcode exploit, yeah, not really
rogue PNG image (imo libpng is notoriously insecure)
vulnerability in the wilders webserver, or another site if it's a shared VPS

 

I'm not a web designer/programmer, but I'd like to ask the following, which I believe that's what happens in such situations.

Imagine X website, which I can give the example of -www.wilderssecurity.com-, once more.

The administrators would want to change the domain of Wilders Security Forum to something else.

What would be the way of letting existing and new users and visitors of knowing what is the new domain?

I can think of two possibilities:

* Leave the old domain with just a warning that there's a new domain, and give users a link to it.

* Leave the old domain, which would automatically redirect users to the new one.

I believe this second option is what happens with many web sites.

I believe this is what hackers do as well to hacked websites? So that, when users visit XYZ website they get automatically redirected to malicious domains?

 

BrownChiLD
your analysis of what's "rare" and what not is outdated or simply based on half truths/assumptions.

Today the biggest threats are not worms (thank you MS, thank you NAT in almost every home) and not Trojan exes (thank you Gmail, thank you AV industry) but are all on "data files" or "scripts".
Right at the top of my list there's Adobe: PDF and flash files. We have Javascript exploits in popular browsers, PNG and Font files.
If you don't keep up to date there are still Active X and Java exploits making the round.

Around these threat models your protection is both overkill and inadequate at the same time.
The best protection today comes from sandboxes, anti executeables and anti-memory corruption techniques.
Namely I recommend Chrome/Sandboxie+Firefox, Applocker and EMET.

If we look at what happens if indeed something passes through your defenses your methods fail again:
Modern payloads are "highly sophisticated" (marketing speak but it's true) "stealth" rootkits, they don't show up in running tasks or hide in the usual places. Detecting them after you let the dropper execute is very hard and you can't be sure if your system is clean short of hashsumming all files and comparing them to a known good state, including MBR and places like that; and that didn't cover memory only attacks that don't survive a reboot but can be just as devastating.

 

Yes, totally. But, I believe that's also due to the fact that the administrators of this forum are quite active and, I'm pretty sure, alert to such situation.

It was just an example that I wanted to give. But, the same does not apply to every other website.