SRP , Really Safe??

And a beautiful thing it is. Built into the OS with no overhead whatsoever, because every create process call is examined for its inclusion. Only very large SRP lists would cause issues, or the wrong settings, like including dlls, in some instances.

Not for everyone, not perfect, but in my opinion you risk nothing in terms of performance or instability, unlike many products attempting to hook into every nook and cranny of the OS.

Some don't care about any potential flaws, as long as it is pop-up free and not a resource monger. Some are not willing to take a chance that a rare attack may get past it. And some just aren't happy unless they are trying out some new protection, those are the addicts. I think maybe security tools should come with a warning of some kind that they can be addictive. "once you try this hips tool, you may experience DownStall syndrome -- you download and install anything security related" lol.

Sul.

 

Again you talk like smart man Windchild but also no real. You say bypass isnt limit to it but dont tell what else. Not clear and its because you dont know any other way for bypass. I tell Windchild already that I block cmd.exe and vbscript process and others with SRP. You are right when say need scripting for bypass. But user limited and good SRP rule will block all bypass.

Many here say can be bypass but there is no show. I already say Excel macro cant run by default so what worry? Tell me real show and real example of other way to bypass SRP when set up tight. Otherwise it all theory.

 

Then they not know how to use SRP tight. They need learn how.

 

Or, maybe they are just unwilling to be as restrictive as is required?

Sul.

 

Scenario: you open a booby-trapped .pls file with Winamp. Buffer overflow occurs in Winamp. The shellcode turns off SRP, then downloads and executes a malware exe.

 

Only theory. Also DEP block buffer overflow. Also if you want say like that then can say anything about any security program be turn off with buffer overflow. Only theory.

 

Limitations of Software Restriction Policies (written prior to Windows 7)

 

I read that long time. Not new. As I say need to tighten you SRP then no worry. All theory.

 

Exactly, SRP is not done within the kernel. Applocker is, iirc, making it SRP done right. Of course, MS makes you pony up for Ultimate. For me, Applocker is the only feature I would use in Ultimate over my current home premium. I think I'll live without Applocker, but it is a strong feature, especially in x64 where other vendors cannot run their software from the kernel.

Of course, I doubt any ITW malware will attempt to bypass SRP in the near future. Perhaps never.

 

Yes Applocker is good improve. But SRP is power itself. Only 2 way bypass and all theory. 1 is if user not know they has script program and let macro run. This is user problem and easy to fix. And even still never seen this bypass before.
2 is if exploit in vulnerable program and run shellcode. But as I say before this all theory. We dont know for sure if possible to exploit and run specific shellcode to turn off SRP. Again all theory any way. Like saying HIPS or Defensewall bypass with matousecs vulnerability or with buffer overflow to switch off protect with shellcode. You can say any thing in theory.

 

Sorry for reviving an old thread; but what about this one:

http://isc.sans.edu/diary.html?storyid=8917


Seems to me SRP can and will be bypassed via targeted attacks.

 

The comment on that page explains it, basically if SRP is paired with LUA this attack is not possible.

 

Old XP, long live XP

With Sully's PGS Software Restriction Policy is in reach for every XP home user

With John Falk's FaJoFXPSE Access Control List are easy to apply for every one on XP Home (Vista and Windows7 user have the security tab also on Home versions) , see PIC


Have not seen any malware which managed to evade both ACL and SRP

 

Correct. Also simple to block regedit.exe from run. Simple. Many dont understand SRP out there.

 

I never seen any which bypass SRP alone in user limited.

 

It is possible, in theory... You'd need to use an exploit that DEP didn't block, to have a running application execute some privilege elevation code, which will finally execute the payload and root the OS. But that sort of attack is not easy - stuff like that is typical of directed attacks on servers and the like, not driveby attacks on desktops AFAIK.

 

Every is possible in theory. Bypass Defensewall Online armor all possible also and been done before. I use sandboxie with user limited and SRP now. Hard to bypass! Ok?

 

Yes, it is. Basically as long as a desktop use a) sets up LUA/SRP properly and b) doesn't install stuff from strange places, they're safe.

 

lol, I think option b is the one that works. All you really need is option b, isn't it?

Sul.

 

Sort of. I mean, if you're lucky and don't use your computer for much, you can just use Noscript a firewall, and on-demand scanners - no realtime AV, no HIPS, nothing, and full admin privileges - and never get infected.

But let's say a friend convinces you to get on Skype. Okay, now you've got Skype on your computer. Noscript may protect your browser well enough... But suppose there's a vulnerability in Skype, that allows remote code execution? The firewall probably won't protect you, since it's allowing connections to Skype. So, someone can send something to Skype that exploits the vulnerability... Executing a keylogger program, which steals your PIN next time you log in to your bank's website. Game over.

Or, you could download a PDF file, which happens to be infected. Oops.

Or you could read an infected document. Or view an infected Flash video on a compromised site, which you thought was safe. Etc.

Basically what I'm saying is, there's a number of ways you can get hacked without deliberately installing rubbish. A smart security setup tries to limit those vulnerabilities, rather than protecting you from yourself (which is bound to fail). Obviously there's a limit to how much you can do, but you do want some security setup.

 

I know that this thread is about SRP but LUA is a different story: http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html & here http://www.prevx.com/blog/83/Is-Limited-User-Account-enough-Not-really.html

TH

 

Unfortunately true for keyloggers.

(And actually kind of silly, seeing as keyloggers seem not to work on *nix without root access. I doubt it would be that hard for Microsoft to fix this issue.)

Of course, that doesn't mean PrevX can't use it as propaganda. But then, you know well what I think of their "pay us to remove malware" policy,

 

And what if you start said pdf file as LUA or with DropMyRights?

And if browser was run in LUA or DropMyRights or SBIE when said flash video was run?

If skype were in your list of trusted software, and it develops a vulnerability would not a firewall still be useful? Are you suggesting that skype itself sends the mined data home? One would think the attacker would if they could.

No point here, just interested to see how you look at it, erm, you might call it data mining Never know when someone might have an idea or viewpoint that I can merge into my own little borg

Sul.

 

It can still install a keylogger.

LUA, DropMyRights -> maybe safe, maybe not (depends on the malware). Sandboxie -> probably safe, the malware will likely be installed but can't do anything (except annoy you).

No. I'm not entirely sure about this, but I think Skype has to act as a server to work properly, which means the firewall won't be protecting it. Could be wrong on that though.

No problem,

 

If the firewall rules are telling skype to connect to specific ip, maybe there is a central connection server(s), likely it would not be an issue. If skype has to allow wide open ip end points, maybe a problem. A default-deny policy will not work here if skype itself is the mechanism to send data back with, too true. What if the exploit tampers with skype itself, in resident or physical. Most firewalls would give flags that "this has changed" or something. It is a good example of why running a program that is a server is a good reason to run a good firewall. Most people who use a firewall have nothing more than a glorified application guard, because the inbound portions of the firewall are hardly used behind a router. But hold ports open with something like skype, and it turns into a different game.

Intersting. I have never looked into how a cracker might use a program such as skype to intrude. I wonder, does the exploit give a hole to buffer, then drop some code that does the dirty work? Or does skype itself (only an example) become compromised enough that it can do the dirty work? Always something new to learn, isn't there?

Sul.