What is your infection chance?

Yep. heuristics can improve alot (glorified signatures), That's why you do need a layered defense. HIPS yes can be very annoying.

Josh

 

With Sandboxie you are completely unprotected in picking up an infection but fully protected in containing the infection to the sandbox.

Returnil is the same in offering no protection in picking up an infection with a reboot required to clear most infections.

Both make a great combo and yet I still employ ghost images just in case and they have been used on occasion due to my own tinkering with system settings whilst not in Returnil mode.

 

what is the chance of me getting infected ? answer - minimal - even with no protection beyond a hardware firewall and firefox.

what damage could any infection do ? Not much. data would not help anyone else. passwords protected.

how easy would it be to put right ? Very easy with images.

so we have a layered approach - 0.X% chance of infection x 0.Y% chance of real damage or loss xZ% chance of not being able to put things right = conclusion that any risk is both small and acceptable.

 

Slim. But there's always a chance.

 

@Easter, this discussion can not be won by you, lets add some extra.

To test a program for the 100%, this implies that all the possible program logic paths are tested in combination with all relevant decision context data.

Because that is impossible, no one claims 100% bulletproof functioning of Software.


To state that your infection chance is ZERO (when PC is used and connected to the outside world), would imply somebody would know all test situations and critical OS/Network conditions (also known as EXPLOITS).

When this is the case (all EXPLOITS covered), you would not need a HIPS, but a simple blacklist scanner. Because you dear Easter have stopped putting faith in black list scanners, because they can not know all exploits/virusses, why my dear Easter could you claim to be able to?

Let me state very clearly, I know you have tested a lot, even got credentials from a famous rebellian security expert now working for a large software company (much liked by you ) in testing his great product.

I think you could refrase you 0%, is that you know that all known XP exploits do not have a chance in your setup. Given the fact that we are on SP3 (you are still running SP1, I believe). I believe you, when you claim that your setup is in the top 3 set ups challenged with malware, for all members not working as professional in the IT-security industry.

Regards Kees

 

Long view you are so right. Infection is all about the chance something will occur against the impact of the event/intrusion. My 0,35% is my intrusion failure percentage, to calculate my infection chance, I have to multiply it with risk of infection. This risk is based on my PC behaviour (coming into dangerous places). For sake of argument, let's discuss the intrusion failure percentage (that is my 0,35%)

Regards Kees

 

Ad A
Yes heuristics are based on family reseamblance of virusses belonging to the same family, compared to behavior patterns of PRSC or TF a virus family is much more detailed than a behavior pattern (so a larger risk of missing a new one which does not fall in an existing family). Also active heuristics (and virtualisation) is used by a few AV's (Norman, Rising for I know of), this defense tricks malware into execution for better analysis. Virtualisation (and in future using the defense mechanismes of your CPU) and replacing passive euristics with behavior blocking will be the development of future AV's. When they are succedfull in implementing the technology, they are the most likely candidates to bring virtualisation to the masses.

Ad B

There are several HIPS, firs the ones that only prevent by looking at all the attack vectors, examples of these are

1. Classical HIPS, like SSM/EQS/D+ by addressing the System Hook table (for events), the file system and teh registry and parant-child execution control they try to cover everything. Every classical HIPS chooses a selection of attack vectors to control, just run AVZ to see which hooks are covered, because no controls all the attack vectors, this is a intrusive HIPS, with holes in its protection by design.

Verdict:
Defense mechanism = every program is treated the same until white listed, its is basically a door open or close policy. This one size fits all approach can not be succesfull by design (simply not all hooks can be covered). So it is essential not an All for All approach (meaning ALL vectors covered for ALL programs handled). Another weak element is the fact that the whitelisting decision is made by the weakest link in the security chain (the user)

Smart exceptions are execution blockers (like Anti Executable) with white and blacklists included. They focus on one core element: preventing execution. For AE it is possible to monitor all known hooks influencing the flow of execution and it is possible to identify all currently known files with executable code in it.


2. Behavior HIPS, like ThreatFire, PRSC, Mamutu
They more or less monitor the same intrusion vectors as classical HIPS, some (like ThreatFire) are able to track all its actions after one action has aroused suspicion. What they do is what Police profilers do, they identify malicious behavior patterns. Because an incident is generalised to an intrusion attribute, different malicious behavior falls into the same malicious behaviour pattern (as PRSC shows clearly in the analysis of the program, e.g. survives reboot, etc).

Verdict:
Because a series of intrusion is translated into generalised malicious behaviour patterns, existing patterns will have a great chance against new threats, because they fall into an existing pattern (same as heuristics with AV's identify families of malware, but to a much more detailed level, the more detail, the more specific, more specific means less chance of succes a new malware will fit into an existing family). Behavior blockers do not have to cover the complete system hook table, because it is not an ON/OFF OR DOOR OPEN/CLOSE policy in regard to one single intrusion, becaus ethey monitor a series of intrusions, they can afford to limit intrusion control to a few specified system hooks. Down side of behaviour blockers is that is a FOCUS for ALL strategy, simply said, although a behaviour blocker only monitors a few dangerous system hooks, it does this for all programs (every program is treated more or less the same). Another performance set back (for old CPU's) is that an intelligent blocker like TF, tracks all actions with the opion to remove it, this rollback/quarantaine tracking also takes a lot of CPU (on a dual core TF will fly, on single cores only on the fastest)

3 Policy Sandboxes, like GeSWall and DefenseWall
Form a contingency point of view these programs have the best architectural design for reasons of:
A) LUA and SRP is an old and proven defense mechanisme, since it is incorporated in the OS, the handles to assure will nicely fit a third party program, so the problem of which handles to monitor can be solved!
B) Policy sandboxes focus only on the sources of possible malware, called THREATGATES like browser, USB drive, mail etc. With a Threatgate application is communicated with external data sources. It is a clever way of engineering a CPU intensive control mechanisme on a limited set of programs (the ThreatGates).
C) They do not have a DOOR OPEN/CLOSE policy. Downloaded files by Threatgate appliations are marked as untrusted, so malware will always be mitigated, compared to Clasical HIPS (open/close) and Behavioral Blockers (well lets track your actions while in the corridor), this is either a big security advantage (compared to classical HIPS) or a CPU performance advantage (compared to behavioral blockers).

Verdict The above explains it all apolicy sandbox is superb over classical HIPS in terms of risk mitigation (and user firendliness) and superb over behavioral blockers in terms of performance and reaction time window (trusted/untrused state is a static condition and not a dynamic one like a series of intrusions at which the behavior blocker has to decide at the end, based on malicious patterns, also the risk of a new malicious pattern is not relevant to a policy sandbox).

4. Virtualisation Sandbox
Application based virtualisation sandboxes like SBIE and SafeSpace, have to lay a layer between real world and virtual world, depending per application. Although this seems a simple concept, it has the same downside of a Classical HIPS that it can not cover everything. When granularity is set on application level, there are just to much interfaces to cover (and the interfaces themselves are more complex). By software design they are more complex than policy sandboxes while offering the same level of security.

Verdict Question: Why use a virtualisation sandbox when there are competing/alternative solutions with a smaller attack surface to cover (the number of handles to minitor), less interfaces, easier interfaces (because Microsoft incorperated policy management in the OS, only available on XP Pro and Vista Business). Answer: Personal preference, confidence in track record of organisation buying from, references of trusted friends, ?, from a rational point of view a policy sandbox is less complex (ego in theory more robust).

Note: that SBIE was able to provide almost always the same level of protection of DefenseWall and GeSWall, is because their team is doing a great job. Image what a good solution a PS4B (Policy Sandbox four Browsers) would have been when it woul dhave been made by the SBIE team. Considering the fact that they are running a competition with GW/DW with a backpack full of lead and still are able to keep up! So compliments SBIE developers team

5. Shadow Sandbox
Although this technology is based on the same principle as application based virtualisation sandboxes, their assigned task is simpler, due to the lower level of granularity: not looking on a per application basis, but either it is the whole system or a specific partition which is virtualised. This helicopter view, makes the number of handles to control less, for a partition there is also no mixed zone (in or out the sandbox data pocket), so in theory applications like Shadow defenser, Returnil, Power Shadow etc are a more solid defense solution than Application based sandboxes.

Verdict Good feasible additional layer when experimenting or doing risky surfing plus downloading, after the session everything is cleared. Why this approach fits Windows/Vista better is the simple fact that Microsoft offers one themselves: Windows Steady State.

Agghh this will trigger discussion further I think, may also be a new thread with the title: why some HIPS are more solid than others: have a look at its design/modus operandi

Regards Kees

 

Excellent write up Kees!!!!! Thanks!!!!

 

Thanks,

When reading the above, you can see that the next Online Armor relase with this new feature https://www.wilderssecurity.com/showpost.php?p=1270824&postcount=14 is a real winner

It is a sort of is a cross over of a smart classical HIPS/FW (same as Anti Executable with additional hook defense to be a FireWall with top class outbound traffic control/leaktest capabilities) and policy sandbox. Proof that it works can be read in Peter's testimonial https://www.wilderssecurity.com/showpost.php?p=1270392&postcount=7 (it also elegantly states the weakest link of a classical HIPS, the user).

Best payware solution
The paid version also has browser defense, so its contingency qualities also outclass many classical HIPS, when you think it is worth the money with the Kapersky AV engine and it runs well on your PC, it is the most allround and easy to use solution I currently know off.

For a best of breed approach I would opt for DefenseWall (with its default resurce protection it will also handle most leaktest, because it seperates untrusted from untrusted providing a more granular control) and ThreatFire FREE (with additional outbound traffic rule). Sort of teh same defense (not so solid firewall outbound traffic defense as OA, but it has the advantage over OA that DW also remembers untrusted state of downloaded files)

Best all freeware solutions:
Next Online Armor free with DriveSentry free (you can live without AV, because DriveSentry checks for in the wild malware, but when needed choose Antivir)

GeSWall pro->free trick (copy resources control rules and application rules of Pro version with print screens, remove Pro after trial and setup tested, install GeSWall Free version and manually enter the rules in the control version for resources and relavant applications as Webbrowser, E-mail, Chat, Download manager, etc) and ThreatFire free (also in this option you can live without an AV, TF checks at intrusion the VirusBuster DB, you can install Antivir as best freeware AV).

Regards Kees

 

As always Kees, very informative posts.
Thanks a lot for that.

(now I'm heading to tweak SBIE protection a little )

 

It's impossible for me to know as an average user, which malicious object is active or inactive, directly or indirectly. I didn't write the malware, so I don't know what it does exactly and for what purpose and there are millions of them.
I have the same problem with anti-malware, in most cases I don't know how it works and against what I'm protected.
So I'm insecure about malware & anti-malware and what is written on websites/paper are just words and promises.

The only way for me to be sure everything is gone is to undo any malicious change in my system by using ISR and IB, including the sleeping malware, which are indeed harmless until I activate them directly or indirectly.
Security + ISR is good enough to save the day, but everything what is online is vulnerable on long term. That's why I replace my actual system regularly with a clean system.
I don't work with percentages, I simply want my system back as it was when I installed it and without spending time on it.

In the past, I was always trapped in the same circle, that repeated itself over and over again :
"clean system - infected system - removal of infections - clean system".
I consider "removal of infections" as a waste of time, because going from "clean system" to "clean system" is the same as doing NOTHING and I know from the past how much time it took to get my clean system back.
Each time I read an infection post at Wilders, I recognize myself in the past, but I changed my vicious circle into
"clean system - infected system - clean system".
I still can do whatever I want, but this time without the garbage and troubles.
The circle "clean system - clean system" isn't possible, not with the security and new generation of malware of today.

 

About sandboxes:

Wouldn't it be possible for malware to get out of the sandbox by letting the sandbox/something else/the system crash ?

 

Superb write up Kees and i relate to ErikAlbert's revolving door in the past, thanks to the MANY new introductions at users choice now, we have more options and methods to impliment a sound strategy. Perfect? Maybe not to go that far if ever, but definitely closer by leaps and bounds then what was available times before.

Very Informative Thread and Posts!!

Great Comments & Replies from experience.

EASTER

 

Dunno?

Do you have poc we could have a look at?

 

That's wrong. There are people who don't use security software and don't have a recovery/backup strategy and their systems are clean and working perfectly.

Yes, it may be possible, at least theoretically.

In the last years, malware writers have discovered/re-discovered undocumented or little known ways to execute/load/inject code at ring 0 (kernel) and thus they defeated advanced security software. Other malware writers have discovered how to write to disk bypassing the Windows storage stack and thus, they defeated virtualization/ISR software.

Some bad guys may find a bug in SBIE's code or they may discover a new method to gain access to ring 0 without being noticed by SBIE. However, that possibility is very small.

 

Hi

It's possible, but the chance of a real malware able to do this is much less than real malware bypassing several signature scanners.

 

Eric, Ilya meant that DefenseWall immobilises Malware by keeping it caged in a strengthened limited user environment, hence the term "inactive malware (meaning marked untrusted by DefenseWall) is harmless (untrusted files kept in a strengthened limited user environment)

 

I was talking about malware that bypassed one of my security softwares, for instance my firewall or AE or DW, ... or my scanner, if I would use one.
Airtight security doesn't exist, that's why I use ISR to remove the remaining malware and if ISR doesn't do the job, IB will do the job, including malicious low level changes. If IB fails, I'm infected and that would be a very interesting malware, must be a rambo malware or a malware that infected my motherboard, video card, ....

 

Precisely. I'm also amused by those who say that they have layers of security and that this is why their systems are clean and work perfectly - highly flawed logic.

FWIW I don't use security software and have never been contaminated. It is true that the recovery backup strategy that I employ could be used to recover from an infection but first I would have to be infected.

 

If I would visit my bankwebsite and Wilders only, I wouldn't be infected either.
But I use ISR+IB for other reasons also. Threats aren't my main problem, legitimate softwares were my problem in the last two years. It's the total picture that counts.
If I had no internet connection, I would use ISR+IB also to correct my mistakes quickly, to clean my computer (junk) and in case of disk crashes. The people, you are talking about, don't think ahead, they only think about today. It's a part of my job to think ahead.

 

When staying out of risky area's infection risk is also low. A girl friend of mine managed with a Vista32 bits PC with only LUA, Vista FW and Defender to stay clean for over a year. She asked to help, because her Google search disappeared. It was a commercial ticker search bar installed. I ran a lot of on-demand scanners and only some light maltware was installed.

This sort of keeps things in perspective (the risks involved in surfing)

I only installed Avast free in Dutch (Web, Internet Mail, Messenger, Internet Mail shields) and ThreatFire (settings https://www.wilderssecurity.com/showpost.php?p=1273805&postcount=14).

 

I like reading these types of posts. Generally if you know something already you will glean some insight on a good method or new app, and if you know nothing then you just might learn something.

But really it is sort of a moot point. Anyone understanding the topics in this thread already know enough to save thier data. Whether one uses many 'tools' to achive this or just uses an image, or nothing at all. The idea of giving oneself a rating of possible infection should maybe be, 'What is your chance of losing sensitive data' or 'What is your chance of not recovering your data'.

To say that my chance of infection is low would be true. To say that it cannot happen would be a false statement. To say that I am capable of putting my data back into place if a big oopsy happens would be plausible. To say that I have no sensitive data to lose to a keylogger etc would also be plausible.

If I do not know what this thread is about, and we know that many many do not, then the probability of losing sensitive data or just losing data is quantitive to my habits. No amount of protection can protect one from oneself when the self does not know what is going on. You simply place the tool that they seem comfortable with and hope they take interest in learning.

Most sadly will not learn, and the hysteria and horror stories will continue, thus leading to more tools devoted to stopping the madness. Which is good for those who frequent these kinds of sites, because it gives us more geeky apps to test out to 'take control' of our computers.

Ah, myself I care not anymore. I load up vmWare to do anything 'sensitive', and maybe I will use many tools for protection on that. On the real OS there is nothing to lose. So a simple AV,FW & Sandbox will be fine. Should something decide to go home or whatever, I will put in my unattended dvd and reinstall. Because my data is safe on mirror raid, usb stick contains sensitive data for vmWare OS, tis easy IF it ever happens.

Sul.

 

As generalizations go I think this one should be in the hall of fame or a sticky at least. Erik I don't know what you're smoking tonight but it must be powerful stuff.

 

My final goal is to remove all my security softwares, use ISR+IB only and surf like a newbie, but I'm not ready yet.

 

well my final setup is complete.