Threatfire custom rules setup

Kind of you to post all this.
Hope you get a gong from PCTools.

I'm still on CH 1.2: heh: time to move on?

Have you got some screenies of your set-up wrt resources in ProcExplorer?

Regards.

 

ThreatFire uses the same amount of memory as CyberHawk 2.04 (i think around 8 MB) and it stills issues a suspend when your browser starts (although since 2.04 a great improvement has been made).

I think you should really give it a try CB 2.04 only took a bit more CPU and time than the CyberHawk version 1.2.0.36 I used before.

 

Do you have a text list of these registry keys and values? I hope they develop some kind of import fucntion to make this easier.

I was going to ask why you specified 1-99999 and port 80 in the port settings but now I see it's a bug ( you can't delete entries unless you delete the rule and make a new one). Ports only go to 65535 anyway.

Does this program block UDP and TCP?

 

See attached file

 

Thanks.

I just noticed that TF doesn't block a little program called Neutron from updating time. I have a network rule blocking ports 1-65535 and no matter if I select TCP or UDP, Neutron still gets through.

 

Thanks so much for the walkthrough. I actually implented all the rules, took quite a while, but I'm sure it's a good layer of defense I've now got. I download music/movies with BitTorrent. Would the last rule interfere with these type of programs?

 

Is there any way to block network access without quarantining a program?

 

Hi Espresso--

Currently the only choices when ThreatFire enforces a Custom Rule you have created is Allow or Quarantine.

However, you'll notice that the Threat Control Center still includes a "Denied" bin. This bin is actually not used for anything in this release, but the plan for a future update (v. 3.1) would be to modify the alert dialogs for Custom Rules to show the choice of Allow or Deny, rather than Allow or Quarantine. You would also have the opportunity to check the "Remember this answer" box to always allow or always deny that action. In many cases for custom rules it just makes more sense to only "Deny" the action rather than "Quarantine" it.

In most other cases with the ThreatFire alerts (all non-custom rule alerts), Allow or Quarantine should suffice.

Kind regards,

Becky Dubrow

 

Import and Export of rules would be fine (to configure across PC's)

 

Correct me if I'm wrong, but shouldn't it be ports 0-65535 (i.e., a total of 65536 ports).

 

I did port blocking in TF, but isn't it suppose to ask whenever an application is trying to connect out? or am I suppose to make a rule for each application that should be excluded from the port blocking custom rule?

 

Yes, but I don't think you can connect out to port 0 in Windows. Somebody correct me if I'm wrong.

 

Just tried the Reg Test at http://www.ghostsecurity.com/products/ using the Kees 1958 modified rules, not a peep out of TF!

Maybe somebody can try the same and confirm. I may have set things up wrong but I don't think so.

 

Riverrun,

Do you have all the rules you have made enabled? (see picture). Sometimes you need to suspend and restart ThreatFire. I just tested it against CyberHawk Pro. The custum rules kicked in.

I am waiting for the official ThreatFire with update, because I have entered all rules I mentioned in this post in a much more granular way, for every registry key/groupe of registry keys a seperate key in stead off one rule defending the whole registry (could me control which programs to allow on much more detailed level).

 

Here is an example on additional worm protection.

Choose any number of files you like, add access types like write (is overwrite) and or delete. You can also set a time (number of seconds) in the options. To prevent unnessecary pop ups include your download and temporary directories (P2P, Download manager, Browser and your OS)

 

Kees, definitely an excellent guide with regards to making advance rules with TF. very much appreciated.

after using TF for several days now, with no hiccups, I was just wondering specifically with regards to the examples mentioned in the tutorial, namely, system file protection, startup registry protection and noninteractive application initiating outgoing traffic.
Being a smart HIPS that I try to believe it is, isn't it that TF is supposed to have out-of-the-box protection for those mentioned in the examples since the behaviors being blocked in the advance rule examples are common among malwares? I was just thinking if TF will suffer performance downgrade with advance rules 'duplicated' with TF's internal rules.
I believe TF's advance rule is more geared towards controlling specific applications', even valid ones, behavior the same way a classical HIPS does...

 

Glentrino2duo,

ThreaftFire, by default warns you when a exe or excutable like is changed, so there is likely to be some overlap. It also watches the startup entries of the registry. Looking at the way the rules are described (starting with a trigger) in an natural language like programming manner, I doubt whether a third or fourth rule on the same trigger by the same program will have noticeable impact on performance.

Performance bumps I noticed was from CyberHawk 1.2 to higher (worse) and from CyberHawk Pro 2.03 to 2.04 (much faster). So the overhaul of programming codes on triggers (hooks) has by far a greater impact than an additional rule.

Looking at your nickname, you problably have dual core PC, I should not worry about it.


So let´s add some extra registry protection:

Changes in XP file protection and anonymous account:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous

Changes in software not allowed to run (software you might use for protection):
HKCU\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun


Regards Kees

 

Will these rules cause a lot of pop-ups like a classical HIPS, like when a new program is installed or something?

 

Drew99GT,

You will get 2 pop-ups max when choosing remember.

Regards Kees

 

good grief how did i miss this excellent thread! nice job kees. i've been hearing lots of good things about threatfire. even the free version seems highly configurable. i haven't installed it yet and i have a few questions:

1a) i was looking at this post here and it got me thinking. what would happen if you put something like "C:\*.*" in the folder list? would this prevent ANY non-system and non-trusted program from creating/deleting/writing executables to the hard drive?

1b) how would this affect the OS (like blue screening and such)?

2a) is it possible to set up a rule that would forbid any non-system and non-trusted program from writing to the registry?

2b) how would this affect the OS?

 

ZopZop,

I would not advice a *.* to be watched, would be to chatty I think. Better restrict to a few files like:
- C:\autoexec.bat
- C:\boot.ini
- C:\config.sys
- C:\ntdetect.com
- C:\ntldr
- C:\WINDOWS\system.ini
- C:\WINDOWS\Tasks\*.*
- C:\WINDOWS\win.ini
- C:\WINDOWS\wininit.ini
- C:\WINDOWS\System32\AUTOEXEC.nt
- C:\WINDOWS\System32\bootvrfy.exe
- C:\WINDOWS\System32\CONFIG.nt
- C:\WINDOWS\System32\control.ini
- C:\WINDOWS\system32\drivers\etc\hosts
- C:\WINDOWS\system32\svchost.exe

Be sure to exclude system and trusted processes

2. No
But you would not want that same reason. Use the list, I posted (which Toni Klein has put together for regdefend). You can exclude the run, runonce runservices (autostart locations in HKCU and HKLM etc because TF guards them now.

Regards Kees

 

ZopZop,

The custom rule posted in https://www.wilderssecurity.com/showpost.php?p=1059784&postcount=23

Can now be changed to

When any non-interactive process
creates 1 TriggerCount network connections
except when the source process is in the system process list
or the source process is in the trusted process list

This wil pass against the bufferzone trojandemo test.

 

Much thanks for the tutorial. Regarding your last post. Is it better to add that rule or modify the previously mentioned rule?

 

kees thank you again for the advice

threatfire with your custom rules seems to be an excellent addition to my security software setup (to compliment geswall). i only have 2 more questions and i'll leave you alone i promise

1) is it possible to export the rules? like say i want to install threatfire on my brother's pc?

2) how is threatfire on system resources? like how much ram does it use up?

 

It is better to modify it.

Regards Kees