Why cure when you can protect?

Discussion in 'other anti-malware software' started by Kees1958, Mar 24, 2007.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    Horror as in computer-related. No. I don't have any.
    The worst thing that happened is when I dropped a PC monitor on my foot.

    Kees, getting hacked does not work by magic.

    Mrk
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    yup you right hacking doesnt happen by magic.
    ive had nothing needed to be blocked by my software firewall ever since i got a firewalled (nat) router
     
  3. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    Hi there.

    Quite, that's not classical horror, it's more of a gore-fest. :D

    Cheers.
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    Hello Mrk.

    Here's a real-life example from my post #50. That's a classical horror story... The lesson is learned there, that's what's important. :)

    Regards,
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    No that's not the same thing.
    Here you have a hardware driver vector - ahead of the firewall - with a vulnerability. Not what I was aiming at. But we'll discuss this later. I gotta go play UFO: Enemy Unknown... such a sweeping old goldie...
    Mrk
     
  6. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Is the chance bigger than you installing some new product, and clicking yes to prompts from HIPS blindly when it installs?
     
  7. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Yes I know. It's pretty funny how you can spot people who have being hacked before just by their postings. Some have even being hacked twice! But then again, some people are just paranoid by nature.

    That's the problem with the forum here. The whole premise of most setups here is to stop some unknown super hacker , which is unrealistic.

    Could the world's best hacker get through Hardware firewall, software firewall, SSM, Defense wall, a couple of scanners, etc ? Sure since we are postulating almost infinite skill and resources. He would probably start first by taking a very very close look at these products....

    Most security professionals don't aim for this level of protection at least for their personal setups.

    If you really want to *start* aiming at this unreachable target, the correct method isn't to pile on as every security products as you can think of, move from product to product based on hearsay, or even reason on some high level model on threatgates or whatever (though that is necessary but not sufficent). For those of you "testing" by running malware (rootkits are popular because they are perceived to be high tech), that's even dumber, that's just blind hammering. Obviously you are going to pass, since they are not targetted.

    Want to really *try* to meet this unrealistically high level of security? acquire the source of what you are using, review the code for flaws. The hypothetical super bad guy who is out to get you, will do that. Nothing else will suffice.
     
    Last edited: Mar 30, 2007
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Some fair points there, DA.
    Cheers,
    Mrk
     
  9. EASTER.2010

    EASTER.2010 Guest

    Matters not IMO and besides how many peeps actually have physical access to the genuine trademark/copyright code of microsoft systems?

    Some vendors no less have negotiated with $M enough to offer reasonable protection for end-users in general and programmers in particular, but then you are hypothetically suggesting the opposers who construct malware have adequately dissected windows O/S from various tools to possess that capability which in that case i would have to agree to a point.

    But then in all their efforts isn't that really a mute point and useless given the "numbers"? Tell me. There is far more attention focused AGAINST those type efforts now then the opposite then ever before. Anyone, including a noob can confirm that in spite of the many who still regularly get hacked or exploited.


    Valid assumption but unrealistic?
    Maybe, maybe not.
    Most here do fashion a Super setup (me included), AGAINST just that possibility of some super hacker(s) as you say who i see are really talented programmers and have already proven quite capable to trump most (not all) security programs.
    But how long does their version last and can they crack thru "ALL" HIPS?

    I know you and i don't look thru the same spectacles on many issues DA but you do bring up some very worthwhile points to consider realistically, of that i won't be brash and deny.

    If i read you right your main point of contention (even with me), is that piling on security programs is not in reality useful, of that i have to disagree for the very reason that it is all too simple to exploit windows vulnerabilities given the fact that microsoft (by design), leaves holes in each version deliberately exploitable enough to compromise.
    But you have to look at the whole picture here. If they didn't, then that would not open the door for talented people to exercise either their training or skills to fashion all these safety programs we enjoy today.

    I can't make it more simpler then that and i do believe that you are wise enough to see this comparison in the same light without resorting to some defensive posture that i don't know what i'm talking about.
     
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I know what you are trying to convey here but still as this maybe okay for you(?), me or whoever else here, that is just an unobtainable notion to most who either rely on an av scanner, or just pile on the defence to try and cover everything usually overlapping their protection with claws into every instruction.
    But thats where this forum can help with knowledge and a decent discussion:).
    Rootkit 'perception' doesn't come into it, its another malware but different. From my view, I don't understand the rest of your statement:).
     
    Last edited: Mar 31, 2007
  11. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    A caution to all - let's keep individuals out of the discussion and focus exclusively on technical matters.

    That said, I do think that the mythical superhacker mentioned by above factors much too strongly into many user's approach to security.

    One can view it from a realistic/unrealistic angle, from a perspective of aggressively diminishing returns, or from a perspective of maintaining operational stability of the computer. It doesn't matter which perspective you employ, the end result is the same: implementing a security solution which accommodates all extant, conjectured, and hypothetical approaches without providing for any filtering with respect to perceived likelihood of occurrence or magnitude of impact begs for problems worse than the threat being supposedly turned away.

    One must certainly be prudent on the net, perhaps we should also add that a touch of parsimony in implementing security measures is also warranted. The ongoing discussion should be what's a reasonable balance in between prudence and parsimony...

    Blue
     
  12. EASTER.2010

    EASTER.2010 Guest

    Couldn't have said that any better.
     
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    BlueZannetti:
    Exactly.
    Wise words. One certainly must be careful and sensible.
     
  14. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Actually if we are talking really about defending against the mystical super hacker, I doubt if 1 in a million programmers are qualified to review the source and to ensure that it is okay. It takes more than just knowing how to code to do this properly. Even those who are qualified don't do this for their own individual use, since it takes too much time and effort.

    Not that they are unaware of their vulnerable to superhacker variety of attacks , but rather they wisely realize the cost/benefit ratio makes it pointless to worry.

    On the other side, they know that common untargetted attacks are fairly easy to foil. That is *why* they don't run so much security. (Another reason is that simple setups are easier to analysis for flaws)

    There's this myth that the very knowledgeable people can protect themselves a lot better than say the average regular wilders member here hence they run so little.

    I submit this is false. The average regular wilders member here knows enough to get by with very little really , leaving aside paranoia.

    In terms of knowledge protecting you from common malware, beyond a certain point there isn't much difference between an expert of say the caliber of ever popular Joanna Rutkowska of blue pill fame and most people here. Both can protect themselves almost equally well.

    The expert faces the same threats as people here, with exactly the same options - save maybe one which is not used as often as you might think.

    Against the mystical super hacker most experts are equally vulnerable , but they don't worry about it and neither should you.


    They can do it, heck I do it! I'm just pointing out that most people have defenses that are too good against the most common threats (that they face and should worry about), while at best having no idea if all that software really helps against the ultra-rare super hacker scenario.

    I really don't see how this is going to help. Short of us, spending 5-10 years learning and gaining experience on how to do a proper security code review
    , how does more discussion help?

    We can discuss on the high level what the different security programs do, this can be grasped by anyone, but that won't help if you want to know if you are hackproof from a super hacker capable of targeting software.
     
  15. EASTER.2010

    EASTER.2010 Guest

    Not only some "mystical hacker" but lest we forget, even some commonly acceptable commercial vendors can sometimes produce their own form of let's say, a hack, but in essence was meant to deter copyright infringement. Results are the same though, entry was made easily.

    Speaking specifically of the Sony's ordeal and most notibly Mark Russonovich of WindowsInternals caliber.
     
  16. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    I guess you never heard of reverse engineering? Nobody ever said securing against a superhacker is going to be easy.

    People like you seem to think that windows exploits are a dime a dozen.
    That's true to some extent, but it takes some skill to find them, particularly if we are talking about really *critical* ones (I find a large number reported actually can't do much without the user doing something first), and people who find them don't just use it at a drop of a hat, they horde it and use it only when needed against high value targets.

    The noobs who get infected typically do so because of their own mistakes/social engineering OR they don't patch and they get hit by some script kiddie who reuses an exploit that was released. Of course to them, they can't tell the difference (most people don't know how they got hacked, or wouldn't be able to find out), so you can blame super hackers using super exploits if you like. Much better than admitting one is stupid or lazy.

    Your question shows you still don't get it. They don't mass produce "versions".
    This isn't a guy releasing worms and having to keep up with AVs as they respond. They know of a weakness you don't and you can happily go about your day working on all sorts of things, without knowing you have a critical weakness. if you don't know a problem exist, it will continue to exist unless you change it by accident.

    I grant you that most super hackers probably don't give a damn about beating HIPS since they are not popular, but i have no doubt if one of them decided to look at it, they will start finding stuff, particularly since we are talking about products that have not being subjected to scrunty of any amount. This btw isn't hypothetical.

    Really? You seem to deny everything.


    Leaving aside the paranoia about deliberate exploits, If you worry about that, use *one* of the tools, sandbox, hips whatever. maybe two tops. Not ALL of them.

    If you are postulating a guy who is going to take the trouble to target you and with enough skill to beat one of your HIPS, you bet your ass, he will do it even if you have two or three.

    Actually, it's clear to me you don't know what you are talking about. I'm not saying it to be malicious. But you have a habit of stating things with 100% certainty even when it's wrong. Have you considered you don't know as much as you think you do?

    I recommend you read a recent journal article that BZ posted.
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yes, but speaking for myself it isn't for individual use.
    o_O I don't worry about it.
    again,
    ...you don't think you are helping by pointing things out?
     
  18. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    And you think your HIPS would have stopped it? Most likely you would tell your HIPS not to borther with prompts when it installed and there it goes...
     
  19. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    It was more a universal "you" to people who believe that one of their duties should be to worry about that. Clearly you know better.

    Not if people don't want to accept it. :)

    It's futile really, people need a reason to play with their tools. So they
    overestimate the risk of such attacks and/or their ability to guard against it.
     
  20. EASTER.2010

    EASTER.2010 Guest

    Some food for thought no doubt.

    So one might be to a point of full agreement with that when accented especially by the single term of "overestimate", (me included), that is if not for the scope of the full picture (from past experiences) which also affords us just the opposite POSSIBILITIES, as in "underestimate".
     
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    ;)
    But you are discussing your point and some people are digesting by just reading:).
    Yes that is the learning curve for some, but hopefully they'll get there in the end.
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Not taking any sides here, note. But a HIPS could help avoiding an atack from some hacker. Is it still vulnerable? Sure, but that's the whole problem with software, we agree on that. For the sake of discussion:

    HIPS can detect buffer overflows, code injection, process modification, termination, etc.
    What does it not cover, that hackers could do? Feature wise first, then flaws if you want. Because unless we address this, the discussion is going nowhere, and i ain't gonna learn!
     
  23. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Let's get back to the topic posed by the subject question: Why cure when you can protect? It's really a rather different topic than the prophylactic (and no, I'm not indirectly referring to the topic of this thread, so no need to raise that...) administration of mutliple measures to combat conjectured malware problems. In the original post, protect means implementation of measures such as a sandbox/process monitor/firewall/datawall while cure seems to refer to a classical AV type of monitoring solution.

    There's really a couple levels at which to examine this.

    First, many of the more powerful commercial prophylatic protection add-on measures (notification based HIPS) simply cannot be effectively administered by the bulk of the user base. The ones that I'd generally consider as suited for the mainstream user base (say PrevX, Online Armor, AntiExecutable; and there are many others) may have a substantial gap with respect to a user assessing whether specific downloaded content is malware or not. Note, that doesn't mean these tools don't have a place on peoples machines. Each of these programs have different approaches to dealing with the shortfall mentioned, but all ultimately rely on a "curative" measure akin to a classical AV as final diagnostic tool of record. It may be the community based/analyst validated white/black list of PrevX, the associated AV in Online Armor + AV, or the vendor recommendation to combine their product with a classical AV in the case of AE.

    Second, current implementation of classical AV's do not juxtapose cure versus protection where the implied concept behind protection is "anticipatory action" as opposed to pure post-event reaction. The realtime monitor of classical AV's are on-access. If a file is flagged, it is before any cure in needed. They can also act after the fact, although performance in this regime is mixed. Protective measures act in the same way. A user determines on-execution whether or not to allow a specific process in the same way a classical AV renders an on-access assessment. The difference resides in the explicit need for user provided approval for a preventive measure while this is automated and based on blacklisting with a classical AV. If the process starts to perform specific actions, there may be some follow-up interaction with a protective approach. Unfortunately, unless the user has an advanced understanding of program operation, actions taken after the initial allow/block of execution are perfunctory operations at best and system destabilizing at worst. Note, it is extremely unlikely that a novice user employing the specific programs that I mention above will destabilize their system - these products are designed to minimize that eventuality.

    If one accepts the above brief analysis, an obvious couple of questions would be why these products exist, are they useful, and are they absolutely needed by everyone?

    Let's take the questions posed in order. Why do these products exist? Basically, they exist for a couple of reasons. First, they fill gaps that may develop in a classical AV. Generally, those gaps are highly time dependent, but, in principle, they can exist. Furthermore, classical AV's respond to threats by varying degrees, at varying rates, and to varying degrees of comprehensiveness. By extension, the time dependent gaps vary in a similar fashion. Are these gaps important? That depends on the user and their usage style.

    Are these products useful? In many cases, yes. Like any tool, you do need some rudimentary understanding of its function to beneficially use it. They can be useful as second tier coverage to plug the time dependent gaps that occur with all products. In addition, on occasion, every AV program that I've used has encountered problems. At times it has been a failed update that did not self-correct, at times it has been lack of availability to the update server. This shortfall is not alway immediately apparent. These applications do provide a level of safeguard against this eventuality. They tend to be useful in this role since, by design, they tend to be compatible with the AV application (as opposed to attempting the same end result by installing a second AV product).

    Are these product absolutely needed by everyone? Of course not, although that answer applies to all security software when you get down to it. On the home machines that I don't personally use, I have more or less settled on one level of secondary protection since I don't verify that everything is working on a frequent basis. In some cases, this may have been a useful bit of insurance to have (e.g. when an AV updater went south for a few weeks) even though this second level was not called to jump into action. What people don't really need is backup for the backup, backup for the backups' backup, or a regime where they effectively re-approve their last explicit approval a couple of times over.

    Finally, all the eventualities covered by protective applications require code to be realized. Malware is not acquired by passive osmosis. That code has a signature. That signature can be quantified and dealt with via classical AV's. One might presuppose that protective programs are vastly superior to classical AV's in that signatures are not required, but in a fashion they are. How does a user know how to respond to an alert? If you download content from a public website that, for example, purports to provide you with something you really want - let's say you're a weather freak and it's the latest hook into the Weather Service feeds - how do you know it does that and simply doesn't on installation a process to upload personal files to a Internet based server for later harvest? Are you able to review a disassembly of the executable code and figure out that it is programmed as advertised? I'm not, but I will place some measure of faith in those who are.

    Blue
     
  24. EASTER.2010

    EASTER.2010 Guest

    Good point Pedro and well put i might add.

    If we focus strictly on the title for this topic my answer would be a resounding YES.

    The problem (to use as an analogy i choose AAW) is it was signature based just like anti-viruses and samples need constantly collected then transferred to the server.
    A lot of legwork and tremendous pursuit is poured into those efforts and the end results always turn out the same, that is someone's system still gets compromised to the point that even more time and effort is required in tracking down, then removing the intrusion, "OR" guiding a user (forums)fully thru to returning the system to as close a normal operation as it was before.
    I was told by a very good programmer who designed one of the CWS fixes that those alternative (Fixes) had reached a state where 100% removal via those methods was unrealistic, mainly due to too many registry modifications plus modifications to the policies XP was gifted with.

    You use an AS.
    It's detected an identifiable threat and alerts to the same.
    It proceeds to remove the threat by well-conceived automation.
    The threat either seizes up the scanner or constantly crashes the program or the O/S itself refuses to respond to the boot up signal.
    Enter HijackThis or another registry detector MAYBE if can reach SafeMode.
    Looks bad, won't go away, have tried everything floating that the AntiSpyware scanners offer, but wait a minute! We now have a fix!
    Run fix, problem solved, or is it?


    The answer to all that frustration/lost time etc. IMO is to, as the title of this Topic states is to PROTECT! before the fact.

    I just so happen to have found thru much experience and confirmed right here in this forum as well as many others, and also after a great deal of local research myself that HIPS is the PROTECT; and most you'll find would much rather deal with a PROTECT factor then go thru the dreaded CURE phase which can't with any real certainty guarantee 100% restoration before the fact.

    So with that conclusion folks, i hope to have added a little something of interest that others will no doubt relate to.
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    Easter, you have skipped a huge, huge part that preceeds your bolded section.

    AS detects an identifiable threat...

    Wait!!!

    How come? Where and why?
    Why would you have a threat on your machine? Why?

    How does the threat come on? The answers are:
    Automated process - exploit - which if you do not use MS crapolla is zero.
    Deliberate execution - which is what the user decides to do. And here's the key.

    If the user wants to run a program, he will - regardless of what anyone tells him, regardless of the HIPS.

    Because process X trying to write to HKLM\Spartacus is no different than process Y trying to write to HKLM\Brain of Nazareth. And from the OS point of view, they really are the same.

    So, HIPS is not PROTECT. It is INFORM.

    PROTECT is limiting the user from doing harm. That is protect. You do that by giving the user least choice to make the wrong decision - or any decision - and given a decision - the least systemwide impact.

    Here, the key is limited environment with full productivity - Linux. In Windows, the best PROTECT you can have is pure knowledge. And if you are a lazy person, an imaging software to quickly undo unwanted changes to the OS, for whatever reason.

    Mrk
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.