The magic of TTT!

Discussion in 'sandboxing & virtualization' started by Checkout, May 22, 2002.

Thread Status:
Not open for further replies.
  1. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    After some delay, I'm finally getting to grips with Tiny's Trojan Trap.  The program is so powerful that many, including myself, have found it too daunting to implement...but last night I saw the light!

    With the Administration Tool, I created a new Application Group called "IE Straitjacket".  I made this RESTRICTED.  I promptly moved Internet Explorer from its predefined group into the straitjacket.

    I clicked File Security, and promptly set ALL drives to "No Access".  I did the same to System Security and Registry Security.

    Then the sneaky part...I went back into File Security and clicked "ask user" and double-clicked ALL.  I did the same for System Security (for all its headings) and Registry Security (again, for all headings).  Then I started IE.

    Through trial and error, I learned which prompts to set to "permanently allow" and which to set to "permanently deny".

    Result:  when it set IE's address bar to my C drive, all I see is a read-only version of AUTOEXEC.BAT!  No other files, no other folders!  Nada!  Zilch!  Nothing!

    I also set scripts to run in their own sandboxes.  Now I've got the happy situation where if any malware scripts try to run on my browser, they've got nothing to find, nothing to change, nothing to do!

    Plus, I've got BOClean running, and AVG, and Script Sentry, and all the other usual suspects.  Boy, am I feeling smugly secure this morning!

    I'm in the process of doing the same thing to Outlook Express.  Then I'm going to investigate CHX-I (packet filter and firewall, separately) and then - who knows!

    I love TTT!  Don't be scared of it!  It's easier than it looks!
     
  2. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    This app must be the ultimate fix for those who love to play with windoze access rights! :D

    Great to see you have got to grips with it - I've found the default app groups for IE and OE perfectly adequate for my needs, and therefore have not set up any custom app groups.  

    I've tested TTT against firehole and the like, and found that the only way that anything spawned by IE or OE can get anywhere near my registry is if I am dumb enough to save it to my 'sandbox downloads directory', then give it permission to climb out of the box.

    I agree entirely that there is no feeling quite as smug as the knowledge that if a bad guy gets in, all they can do is spin their wheels and go nowhere.

    Something you could try (Soul Flame's idea) is to set up a group called 'threats' which switches on every restriction you can find.  Run any 'suspect' executable in that group.  You can then see from the activity window exactly what it was trying to do.

    If you've got a dual boot, its great watching as an executable tries to write to your C drive (don't forget to put it in the 'confidential' category) when there's precious little there anyway.

    If you update IE or need to 'install on demand', probably best to disable the Trap first - the update feels the need to write to the weirdest of places whilst executing.  The first time I came across this I thought I'd been attacked by something.
     
  3. FanJ

    FanJ Guest

    Checkout,

    When you are going to play with CHX-I, please let us know about your experiences (I'm too curious about it; have visited there site a few times); best to start a new thread for that.
     
  4. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Will do.  It may take a while, though.
     
  5. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Checkout, will you now lose your firewall and enable java and active x?   Sounds very tight to me.  
     
  6. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I'd feel very unsure without my firewall - I get a lot of scans.  But, yes, I'll allow scripting and see what happens!  :)
     
Thread Status:
Not open for further replies.