My KISS Security Prescription For DefenseWall & GeSWall Users

Discussion in 'other anti-malware software' started by CogitoErgoSum, Jun 25, 2008.

Thread Status:
Not open for further replies.
  1. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    My keep it simple stupid(KISS) security prescription for DefenseWall(DW) or GeSWall(GW) users are as follows.

    Option #1(Minimalist): DW or GW + NAT/SPI Router and/or Windows Firewall
    Option #2(Complementary layered defenses w/minimal overlap): DW or GW + Intelligent Behavior Blocker(Norton AntiBot(NAB)/Primary Response SafeConnect(PRSC), Prevx 2.0(PX) or ThreatFire(TF), etc...) + NAT/SPI Router and/or Windows Firewall

    (*Note: To provide clarification, both of the above options do not employ the use of an on-demand antivirus scanner or two-way(inbound/outbound) firewall.)

    Regardless of which of the two security options one decides to implement, I am a strong believer in the critical role that system and web browser hardening plays in reducing and/or preventing the effects of 0-day exploits, cross-site scripting(XSS), drive-by-downloads, etc... While I have originally provided the following system and browser hardening tips below to fellow DW users, they can also be used by GW users.

    http://gladiator-antivirus.com/forum/index.php?showtopic=71660 (*Note: Please take note of post #'s 3, 5, 7, 10, 18, 28-29, 31, 35, 40-42 in this link.)

    For those DW users who have not yet taken a look at the link below, you may find it useful.

    https://www.wilderssecurity.com/showpost.php?p=1250098&postcount=2

    For those of us who choose to run naked and live dangerously(sans resident antivirus) as the above security combinations propose, I have put together two different resource lists at the following links below that one may be interested in.

    http://gladiator-antivirus.com/forum/index.php?showtopic=73830&st=0&p=207357&#entry207357
    http://gladiator-antivirus.com/forum/index.php?showtopic=73840&st=0&p=207390&#entry207390

    The links below contain some interesting information regarding NAB/PRSC.

    https://www.wilderssecurity.com/showpost.php?p=1174803&postcount=26 (Malware Test)
    https://www.wilderssecurity.com/showpost.php?p=1176147&postcount=32 (Malware Test)
    https://www.wilderssecurity.com/showpost.php?p=1195237&postcount=34 (Malware Test)
    https://www.wilderssecurity.com/showpost.php?p=1236837&postcount=9
    https://www.wilderssecurity.com/showpost.php?p=1267673&postcount=67 (PRSC News)

    Lastly, the links below contain practical information regarding NAB/PRSC.

    http://www.sanasecurity.com/products/home/sc/faq.php (PRSC FAQ's)
    http://www.sanasecurity.com/why_sana/technology/activeMDT.php (PRSC's Active Malware Defense Technology (Active MDT))
    http://www.sanasecurity.com/common/files/prsc_eval_readme.pdf (Evaluating Primary Response SafeConnect Overview)
    http://www.sanasecurity.com/common/files/PRSC_WP.pdf (Primary Response SafeConnect Technical Whitepaper)
    https://www.wilderssecurity.com/showpost.php?p=1269739&postcount=68 (Basic "free" customer/technical email support and misc.)
    https://www.wilderssecurity.com/showpost.php?p=1269774&postcount=70 (PRSC Components/Processes)


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jun 27, 2008
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Normally running less nakked on the street, so

    - noob variant: would be: GS or DW with (freeware) AV + default OS FW (behind NAT router)
    - enthousiast variant would be identical to yours (2nd option)

    Regards Kees
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    My God. I was just lost. It was link after a link. I gave up in the end.
     
  4. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    Thanks for the contructive criticism. To address your concerns I have attempted to provide "direct" links where possible in my original post to do away with the link-upon-link syndrome. While I have to admit that it is still a bit busy, I feel that it is a noticeable improvement and a good compromise.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jun 25, 2008
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    It,s better move. Just few comments and this is only my opoinion ofcourse.

    1- Good testing with PRSC but u did not mention that how many detections were signature based? Also TF checks first bad behavior and then the black list but PRSC seems to work opposite to me as I have seen it detection inactive malware installers etc, seems some type of disk read/ write being scanned against a black list. Am i true?

    2- I can understand that tweaking/ hardening is good but i am always avoiding it. It takes a lot of time and after a long time , you might need a service/ feature and get into troubles as it is disabled. You might even forget what tweaks etc you had applied in the past and might not know the root cause of some problems you face.

    I cover all such weaknesses with execution control HIPS.

    3- Not a fan of so manu URL checkers, link scanners, free scanners etc. No time to scan a file here n there. It,s a big hassle for me atleast.
     
  6. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    In regards to your questions in comment #1, while I am not able to recall the exact detection method of each and every malware sample tested in the three above mentioned links, to the best of my recollection, I believe that PRSC detected most(better than 50%) of them by behavioral heuristics. Lastly, it has been my personal experience that PRSC, in most cases, will first analyze the combination of potentially malicious behaviors of the malware sample in question. The only reasonable explanation that I can think of regarding your impression that PRSC first detects malware via blacklist or signature before performing behavioral analysis is because I have observed that PRSC identifies certain malware samples as a "known" piece of malware. On Sana Security's web site, PRSC is described as not relying upon traditional signatures, but because of my observation, until proven otherwise, I am inclined to believe that PRSC employs some form of blacklist. If one thinks about it, behavioral heuristics can also be considered a blacklist of specific "actions".

    In regards to your comments in #2, based upon trial and error and due diligence, I have determined that "most" of the system specific hardening tips that I have listed will "not" disable the most commonly used services/features/functionality within Windows XP SP3/Vista SP1. On many of the tips I have also noted if applying a particular tweak will break some functionality.

    Hope this helps.


    Peace & Gratitude,

    CogitoErgoSum
     
  7. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    I just got two replies from Jeremy at Sana Security that best addresses your inquiry. His response is posted below in quotes.

    "PRSC has a very, very small black list for really the most common malware, so less experienced users will feel more comfortable if they experience a common detection. Have the name of a threat presented usually gives a better feeling of accuracy than just 'an unknown something-or-other happened, what do you want to do' type dialog.

    Depending on the flavor of PRSC (Norton Antibot, PRSC, or other partner versions) the black list will be checked either on file creations and execution, or just file execution. If it matches, an alert will be immediately generated before the behavioral threshold for detection is reached.

    You're pretty much right on, except for black list/behavioral event timing. Here's the real-real answer:

    Behavioral events and black list checking are multi threaded. Disk events, process events, fingerprint calculation, digital signature calculation, network monitoring, etc. are all asyncronous, so there is no gaurantee that one will happen before another. In fact, the only gaurantee is that the agent will, as long as there isn't excessive system lag is the agent will pick up behavioral events in roughly the order they are generated by the system. However, the check against the black list is so quick, it will almost always return first--this is the nature of asyncronous systems. So when you get down to the details, there really isn't a 'first' or 'second', even though we may use those words. It is only first or second because the probability of the thread checking a fingerprint of a file or process returning first with a conviction is higher than the behavioral alert threshold being reached."

    Hope this helps.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jun 26, 2008
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks for this info. Much appreciated.
     
  9. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    You are very welcome.


    Peace & Gratitude,

    CogitoErgoSum
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.