The irrelevance of Applocker / relevance of SAFE admin tweaks

Discussion in 'other security issues & news' started by Kees1958, Aug 3, 2010.

Thread Status:
Not open for further replies.
  1. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Okay, cool, I'm glad that is considered "standard user". I don't mind UAC at all.



    Maybe I'm over-thinking this, but I install/remove a LOT of things quite often, like music/video players, browsers, email clients, and such things. I use this system for all sorts of things all the time. This is why I'm not sure I'm the best candidate for the white-listing approach. Again, maybe I'm misunderstanding how you all are explaining default-deny.


    Well, there aren't not many ways to operate MBAM or even a rather simple AV like Avast, which I use. The messages I get are either "it's clean" or "it's infected". I mean, certainly, there are settings to configure, but none of them are outside my knowledge range and I keep them pretty simple.

    I use backup scanners simply because I've learned one program can't catch everything. Isn't that the mantra taught here at Wilders? I didn't mean my "junk" comment as in LUA/SRP was literally junk, only that it's over my head, and, I've gotten along pretty good without it. Didn't someone here say use what works? Well, I do. Would it be nice to just rely on built in things like registry tweaks, SRP and all that, and not have to use 3rd party programs? Sure would, but I'm simply not ready for that yet. I don't see it as such a problem as I do a step in my learning process. I may not be as elite and "guru" as some of you, but so far I'm staying out of trouble with the little knowledge I DO have and the tools I use.
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Some strangely negative responses to Sully & Kees initiative in this thread. I for one applaud it - a very smart move which should prove a useful tool to all of us that are running home editions of windows and don't want to run LUA (and that's not an invite to the LUA preachers to attempt more conversions :D ).

    Kees calls it correctly in that many security-conscious home users opt for HIPS to essentially perform an anti-executable function, but then have to live with a multitude of largely unnecessary and unwanted additional pop-ups.

    SAFE Admin looks like it will bridge a significant gap and I look forward to trying it out.
     
  3. wat0114

    wat0114 Guest

    That's because they don't know how or don't want to configure them correctly for a simple default-deny setup.
     
  4. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Correct, that's why the prospect of SAFE Admin should be welcomed.
     
  5. wat0114

    wat0114 Guest

    Absolutely, and if anyone can get it right, Sully certainly will (also why I'll gladly test drive it). My only concern was advising on manual registry tweaks, because they tend to get a lot of people in trouble. They were not, admittedly, advised in this thread, but have been in others.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Oh man, am I ever in agreement with that. There seems to be a distinct division with the registry -- either you get it or you don't. If you get it, changing a value with a .reg file is very easy to navigate to in the registry and fix it yourself (as long as it is not a delete command). If you don't get it, lol, you just stare at the registry as if it were an alien. I have sympathy and understand this, as it does take some messing around in it before you become comfortable. Imagine a novice trying to find a CLSID {GUID} and seeing nothing but the word "Apartment"? It certainly is a confusing place.

    Even when you program something that messes with the registry, it takes (IMO) a degree of caution to do it correctly. If it is simply adding a new key/value, or modifying a default one, it is really not a big deal. But, when you are deleting or modifying values that might be custom to the machine/user, you really should tread lightly until you understand the implications of changing things.

    I love it when a program/feature uses the registry, because it makes it so easy to manipulate. While .reg files can wreak havoc, they are also an easy and fairly mundane method. I don't fear it at all, I spend a lot of time messing around in it. I will come up with something to make these features of Kees painless to initiate.. at least as much as possible considering there is some ACL work involved.

    Sul.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    On Windows 7 I use a standard account for most activities, and an admin account for admin stuff. I have UAC on the highest setting also. I didn't mean to imply that UAC+admin account is necessarily "quite safe" though - merely that it's better, from a security perspective, to have UAC on max while using an admin account vs. UAC disabled while using an admin account.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Can you give an example of what a user would encounter, where UAC would alert and protect?

    thanks,

    rich
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    How about this: a few weeks ago, user plugs in infected USB stick that exploits recent .LNK vulnerability, and the malware attempts to install a kernel-mode rootkit?
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I love it when programs such as Opera and Forte Agent (email) still use .ini files which are stored in the program's directory, for easy configuration without having to mess with the Registry.

    For example, using Opera's keyboard.ini file I can remap the hotkeys:

    opera_keyboardIni.gif



    ----
    rich
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    What would the UAC alert say? Do you think the user would know what is going on and how to respond to it?

    The PoC wasn't much of a test compared to the real thing, but could you run it and show the UAC alert?

    thanks,

    rich
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I don't have any particular such malware (or POC) on hand. It would be an interesting experiment to see what percentage of users at large, and also of Wilders members, would have allowed the malware total system access.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, it would be an interesting experiment!

    Several of us discussed this a year or so ago, and on another forum I asked for some screenshots of UAC alerting to running of unauthorized executables.

    This first one was interesting in light of the fake Microsoft files that were circulating at the time. Now, fake Microsoft updates for the latest LNK vulnerbility are showing up in email attachments.

    ZeuS/ZBOT and SALITY Jump on the LNK Exploit Bandwagon
    http://blog.trendmicro.com/zeuszbot-...oit-bandwagon/
    UAC-paul.jpg

    Another one:

    UAC.png

    So, yes, it would be interesting to test how people would respond to these alerts.

    One of Kees's suggestions is:

    But then, follow all sorts of tweaks and tricks which I suggested were beyond the capability of the average user to understand and implement (at least those I've been in contact with)

    When I was helping set up home system security, I stressed that anything unauthorized that popped up and attempted to run would be denied by default, and there was no other option. I also stressed policies, and the fake MS update is easily taken care of by what Brian Krebs suggested some time ago:

    While I couldn't get a working LNK exploit in the wild, it's easy to simulate a LNK file attempting to launch the malware payload (DLLs masking as TMP): you just click the link shortcut instead of having it auto-execute, but the result is the same -- the executable tries to run:

    [​IMG]

    There are several non-HIPS programs that include Default-Deny protection which, in my view, are more suitable for the non-technical user than what is being offered in this thread (except those who have an expert person in the family!).

    Nonetheless, what is being proposed here is very interesting to follow, and should be of much use to those who are capable of implementing it.

    ----
    rich
     
  14. wat0114

    wat0114 Guest

    Certainly, I understand. Like you, I also run in lua the majority of the time. My comments were based on my conclusions from the link I included in post #12, where the Standard token is applied by UAC to the administrator, effectively rendering applications that don't perform administrative tasks to standard level applications.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    That is not fighting fair! In order for the OS to use a .ini file, I would have to go back long way...

    I agree though, programs that use .ini are my fave. But no such luck with the OS I am afraid.

    Sul.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Rich,

    I would like to ask you to give SAFE a try when it is ready. That is when you have a modern OS available like Vista/Windows7 (I noticed most of your screen grabs have the windows classic look and you prefer win95 ini files above the registry).

    For us (Sully and me), it would be nice to see its effectiveness agaist a few PoC's you have published on Wilders (which allways showed AntiExecutable was the best implementation of your default deny philosophy) and for you it would be convincing to see its useability/ease of usage (off course all your feeedback on useability would be appreciated).


    DW426

    For the same reason (feedback on ease of use) I would ask you to give it a test run also when Sully has completed SAFE.

    Regards Kees
     
  17. tlu

    tlu Guest

    @Sully: Regarding the reactions in this thread, I can only speak for myself. Just to clarify: I don't oppose the measures suggested by Kess and your SAFE admin. It certainly improves security a lot is therefore a step into the right direction.

    I was just irritated by the tenor of the headline that Applocker is irrelevant and SAFE admin tweaks are relevant. Relevant/irrelevant for whom? Yes, for the average Windows user Applocker is irrelevant - but the same is true for the suggested alternative. The average Windows user is not a member of this forum as he/she is not interested in the topics discussed here. Consequently, this user won't ever apply the suggested registry tweaks (neither manually nor via your tool). Talking about these users is therefore useless.

    Thus, we are solely talking about the forum members. They are interested in security matters (otherwise they wouldn't be here), and they have plenty of opportunities to ask their questions and to discuss their problems. I would expect that these users are serious about security and do not regard Applocker as irrelevant in the first place.

    You said yourself that a LUA/SRP/Applocker combo is the best method for most people (and who am I to disagree with that statement ? :D ). So why should we push people into a sub-optimal method given that PGS also works under Win7? (Although I don't know if you can implement the Applocker enhancements into PGS.)

    Again, I was irritated by the tenor and absoluteness of the statement that Applocker is irrelevant which belittles it IMHO. But that doesn't mean that I don't appreciate the work Kees and you are doing.:thumb:
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I apologise for irritating you. We do not disagree on this point, I stated in the first post that there are no rational reasons why someone is able to use the company PC as LUA and does oppose to LUA for use on his/hers private PC. The objections are 80% emotional (control what is yours). Look at my sig, we are in the same team (although some would say with team mates as Kees, who needs enemies?)

    Well I agree and disagree with you on this statement. Let me explain. I have implemented those tweaks manually for six friends and two relatives. This was after I tried to convince them to run LUA. As mentioned in the first post, I see no ratiional arguments why people could not run LUA on their own PC. Those objections are purely emotional. Those eight (where I implemented those tweaks manually) were responsive to the argument that they could have freedom and better protection at the same time for free. They seem to be happy using it, no complaints.

    So I agree that no 'lazy admin' will by itself use SAFE as a mean to enhance his/hers protection. But I hope that the Wilders Community as a social network will take some responsibility in making the web a safer place. Wilders has a lot of members who help their relatives and friends with PC issues. Also newbies join the forum at a regular basis. I hope existing members will embrace SAFE and include in their toolkit to help relatives and friends. When the threshold of knowledge is taken away because it is automated with SAFE, in theory everyone could use it.

    I hope you are open minded enough to try out SAFE when it is ready and provide us with tips to enhance its useability.

    May be I am naief but do not underestimate the power of social networks. Wilders is such a social network. When a fair part of the Wilders Members implement it at friends/relatives the spin-off will be worth it.

    My brother in law and a friend allready ask me whether I could apply the same tweaks for relatives of theirs. I told them to wait, because soon their will be tool which automates this tweaks.

    So opportunities for spin-off are realistic IMO. May be some members here have contacts to other social networks, for instance AKO with Gizmo, some others with Raymond or ADSL Reports etc. This would leverage the social network effect.

    Regards Kees
     
    Last edited: Aug 4, 2010
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I was completely puzzled as to why this thread garnered a "why would you do this" when a near duplicate thread(s) had responses of "how do you do that". Almost like it was a different content even though it was not.

    And now we know why. I thought the headline and topic was more one of "lets discuss the implications" rather than a statement of effectiveness myself.

    and not included in thier version

    Probably true in desire/skill to use the options, but not in availability.

    Again a true statement. Unless as Kees points out someone of greater knowledge helps them.

    Which would be my target primarily.

    I look at it differently I suppose. I don't see any of it as being irrelevant, except for the fact that Applocker/SRP is missing from the lower end versions.

    I see this stuff Kees is bringing to attention as components that are individual. Kees has wrapped them together into a scheme, and while not the same as other schemes, it does look to work. But I see it as other layers that one might want to implement individually depending on what it is and what it effects. In my little corner of the world these sorts of little tweaks will be applied differently than in Kees corner, or maybe the same, who knows. I am going to implement what he wants because it is an interesting alternative, and might be of use to someone. But I am also going to make sure that it is not just a one-stop click and it all is applied. I want a tool to let me choose which one(s) to use without having to go through the effort of manually doing it.

    Thanks for the insights.

    Sul.
     
  20. tlu

    tlu Guest

    @Kees and Sully: I agree with you - well, not in every detail but by and large :D

    And I will spread the word, Kees! I won't be able to test SAFE, though, as I don't have Win 7 and I'm pretty sure that I won't buy it - sorry!

    Keep up your good work!
     
  21. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Will do, Kees. Now, a couple of questions for any of you really.

    1. UAC, at SOME level, is LUA, true or false?

    2. LUA, if there is no rational argument for NOT using it, what do you all say to those that tell you software either won't work properly or not at all under LUA? Is that not a rational argument? Also, I'd like to know, is it really possible to turn my now admin account into LUA without losing files I already have (these are files not included in my backup)?

    3. Anti-executable software. I'm on Win 7 64, and I just will not go the HIPS route, and can't at this time shell out near 50 dollars for AE. Are there any free alternatives available that will do the job?
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Well, I wouldn't want to return to Win 3 because the Registry certainly has made OS configuration more flexible (if not complex!)

    But programs are different (Those that can use .ini files). My brother is a software developer (small business products) and he uses .ini files, and along with the Dlls and related data files, are all stored in the program's directory.

    I appreciate the offer, but am not interested in applying all of those tweaks! It's just much too complicated for me to follow. I like to keep things simple and unincumbered. Besides, I'm still with WinXP SP3 laptop (along with my desktop Win2K).

    ----
    rich
     
    Last edited: Aug 4, 2010
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Why not Applocker to set up basic default-deny rules? Free and already on board.

    Also, check to see if the free version of Returnil has execution protection.

    ----
    rich
     
  24. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I have Home Premium, so no Applocker available to me (Thanks a lot, MS). Returnil Free does not, as the function is within the AV guard, which is also not in Returnil Free anymore as far as I can tell.
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ad 1
    Yes, that is true, but there is one difference. Being the Admin you are automatically the owner/creator (same applies to a wrong setup LUA), this makes the user - admin space a cloudy or muddy border. Others argue because UAC prompts when a program request elevation, UAC is no security frontier, opposed to LUA. Also from XP on you can set the LUA user to prompt for admin credentials, which is sort of simular to UAC only with UAC the changes are in the environment/context of the current user. So this 'hard' border depends on policy settings. On my wife's LUA, I have set this enabled. So hardliners would say I changed the LUA - ADMIN brick wall into a butter soft border. She wanted a backdoor, because it was her PC. E.g. when she is with out with her friends and they decide view something of a camcorder. When they stick in the camcorder, and it needs admin credentials to install/load a driver then she will be prompted automatically for admin credentials.

    2.
    When you turn your current LUA down to Admin, the LUA user is the owner creator. But you would be certain you keep access to all your files (so you need to give a new user Admin rights). Flip side is this is an example of a not well setup LUA user (since the LUA user is the owner/creator of everything).
    Most commercial program run perfectly under LUA, some security applications don't. But the thing is you need way less security running LUA.

    3.
    Yes SAFE and your Windows Ultimate, but let's do thay through PM

    Regards Kees
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.