Threatfire custom rules setup

ZopZop,
Nr 1 is high on the wishlist of the TF forum members. So it is still not possible. TF Tray uses 3,5 MB of memory and TF Service just 4 MB (with incidental spikes to 4,5 MB). Note that we have the TF Pro version now.

TF runs well with GeSWall. I had some trouble with GW blocking Digital Rights Management of purchased music songs, so I changed (the ease of having image backups) our settings on XP machines from A2 IDS + WinPooch + DW and TF + GW to A2 IDS + WinPooch + GW and TF + DW. On the Vista64 we run UAC (in quiet mode) with PRSC and HauteSecure beta.

Normally DW is a bit slower than GW, but TF works nearly as fast as with DW v2.05 as GW 2.6 We are behind a hardware NAT/SPI router and have no AV in realtime (only A2's realtime on 1 machine) and have not been infected for over a year now on the XP machines a(I always riun a Bitdefender scan before making backups). The vista64 is only three months up and running (is scanned with Avast 64 bit before backup) and no problems whatever.

Regards Kees

 

Here is my registry value custom rule

When any process
tries to write to the registry
to
HKCU\Control Panel\Desktop\ScreenSaveActive or
HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask or
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load or
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Programs or HKCU\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun or HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun or
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions or
HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecute or
HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\ComSpec or
HKLM\SYSTEM\ControlSet002\Control\Session Manager\BootExecute or
HKLM\SYSTEM\ControlSet002\Control\Session Manager\Environment\ComSpec or
HKLM\SYSTEM\ControlSet003\Control\Session Manager\BootExecute or
HKLM\SYSTEM\ControlSet003\Control\Session Manager\Environment\ComSpec or
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ComSpec or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path
|TriggerValues
except when the source process is in the system process list
or the source process is in the trusted process list

see post 15 in this thread on how to make it, it is easier now, just copy the values (with the OR) above one by one

Regards Kees

 

Here my registry keys custom rule

When any process
tries to write to the registry to HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ or
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system or
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\ or
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\ or
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ or
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ or
HKLM\SOFTWARE\Microsoft\Command Processor\ or
HKLM\SOFTWARE\Microsoft\Ole\ or
HKLM\SOFTWARE\Microsoft\Ras\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\ or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\ or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ or
HKLM\SOFTWARE\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\ or
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ or
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\ or
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ or
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ or
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\ or
HKLM\SYSTEM\CurrentControlSet\Control\WOW\ or
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\
|TriggerKeys
except when the source process is in the system process list
or the source process is in the trusted process list

 

I wonder if Threatfire includes any built-in rule to watch/track the reg key where URIs are stored. Lots of recent vulnerabilities are involved with URI handling.

 

I agree.
Thank you for your time and effort.
It is appreciated!

 

If you enter 80 then 81 then 8080, for example, you don't get the 1-99999.

 

Use the new one without ports mentioned

https://www.wilderssecurity.com/showpost.php?p=1101843&postcount=47

 

Thanks for pointing that out. In case you want to insert port numbers, my previous seems to get rid of the hiccup. Thanks for your good hints though.

 

Very light. On my system, less then 8k.

 

Lucas1985,

I do not know. But my approach is to run URI related programs (adobe, quicktime, etc) as untrusted in DefenseWall/GeSWall Pro.

May be someone who knows more on this topic could join in.

Regards Kees

 

Yes, every app receiving commands from the browser should run isolated.
I think that should be very easy for a smart behav. blocker like TF to monitor processes reading/writing to the URI key followed by the download of an executable.
Solcroft, are you there ?

 

Kees1958, thanks for the tutorial. Very much appreciated.


Regards

 

Thank you very much for all the custom rules, will you be posting any more?

 

Gizzy,

As Solcroft pointed out TF is intelligent by itself. So you should not specify to much custom rules, because you might make the behavior blocker behave as an 'dumb' intrusion detector.

But here is one, which is normally suspicious

When and email program or web browser
tries to rename a file
in C:\ or C:\WINDOWS or C:\WINDOWS\System32|TriggerFolders
except when the source process is in the system process list
or the source process is in the trusted process list

Regards Kees

 

Thanks for another custom rule Kees1958,

I never noticed Solcroft's post about this, but I understand what you're saying too many custom rules and I'll be attacked by threatfire pop ups

 

is there anyone already done this tutorials and could export the rules ? so others can import it....

 

cupez80,

Exporting/importing custom rules is still on the wish list. I do not understand why not more programs offer this (Regdefend, WinPooch EQsecure all have it and its so easy when yiu have several PC's)

Regards

 

I know a couple of discontinued firewalls (kerio, filseclab) that did that years ago. Handy as all get-out! Maybe they'll institute that in the pay-version, hopefully sooner than later!

 

hmm..it seems like i should enter all custom manually...

 

First, decide on the important one's so as not to overload on the rule-set.