To what end do you desire security?

Thanks for testing wat0114.

You can make a copy of the Security Tool.exe and rename to Security Tool.pif.

File extensions need to be shown in order to do so.

I don't think I will look any further into LUA or Applocker as Sandboxie and to a lesser extent Returnil have served me beyond fine for a long time and through many malware samples.

 

Thanks Frankilin. Applocker stopped it. So as katio mentions and provides the link where Windchild explains it nicely, Applocker is not necessarily blocking by extension.

 

Thanks again wat0114.

Well all I can really say at this stage is that if you're happy with your setups and it suits your needs then use it.

For a bit of a laugh:
Most Secure Operating System

 

I opt for several security layers, so that if malware were to get through one layer then (hopefully) another layer would catch it. This is perhaps the antithesis of a carefully crafted system running under LUA.

According to Marco Giuliani at http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html :

"Then there's a myth that needs to be debunked: Windows, if used with standard limited user privileges it's safe from malware.

This is wrong, we have talked about this previously on this blog, and SpyEye is the perfect answer. SpyEye is able to install itself and perfectly run from limited accounts. Yes, it could still steal sensitive data from the browser, even if run with limited privileges."

Perhaps the setup advocated by Rmus is not actually vulnerable to this malware. But I'm personally very wary of relying on a single, silver bullet to deal with all the malware that's around.

 

The LUA compatible rogue AVs I've seen really were extremely easy to remove - reminding me of the "old school" trojans back when XP was latest and greatest. You shouldn't even need safe mode: just logging out of the infected account and into an admin account should be enough to kill the malware and let you easily clean it manually or with anti-malware software.

As one should always remember, though, the malware can do damage inside the limited user account: removing wallpapers certainly, but also nastier stuff like stealing or deleting data files the user has write access to.

Certainly LUA is no silver bullet of computer security - nothing is, except perhaps knowledge. And it certainly shouldn't be the only defensive measure. The first defensive measure should be the skill of the user: in such things as not executing random stuff.

 

Oh, I could not agree more. I have made a pretty decent amount of money fixing vista computers with UAC enabled because people download, execute, click OK to elevate and then have issues. It appears that win7 will be much of the same from the looks of things.

Sul.

 

I tested some similar samples recently using Windows 7 x64 in both a standard account and an admin account with UAC on max and no AppLocker/SRP rules. My results are the same as wat0114's. Some of the samples wanted admin privileges, which resulted in UAC prompts - I denied the requests. Using Prevx, Autoruns, and watching for bad behavior, I believe that the samples likely affected only the account in which they were run - no bad behavior was noticed in the other account that I logged into.

 

UAC compliance requires a manifest in the application, the informs the OS admin rights are needed. UAC then in turn makes it convenient for the end user to elevate via its prompt. Older applications or applications that don't adhere to this manifest will terminate in a variety of ways. Some just won't run when they try to access areas that need admin rights. Some will only get to a certain point then terminate, while others might cause the system to throw a prompt saying "this needs admin" or "you don't have admin rights to do this".

How do you know that malware would not have smitten you if you did not expect it to be malware and had clicked ok on the UAC prompt? Eice and myself had a conversatin about the ramifications that UAC has, on how easily it is to elevate with it, and whether or not the typical user who downloads all sorts of programs is better of with or without it. You can trust the source, but it is known that even trusted sources can be hacked. You can scan the file before execution, but you rely on the scanner actually being able to detect it. You can use a hips which if you are educated can tell you a lot. You can use a default deny or applocker and SRP, but it does not change that when you want to execute you will make an exception, and there is still no sure way of knowing. You can open it in VM or SBIE, but you still need a way to find if the item in question is good or bad. Do you run hips inside VM to be sure? I have often. Do you submit the item to an online scan that uses multiple engines? I do often.

Obviously I am talking about people who try a lot of different things, not those who configure thier system and stay like that indefinately.

My question, "To what end do you desire security" is partially spurred by this thought process. Do I go out of my way to implement methods that truly let me know? Or do I just accept that some things can never be known without a lot of work in doing so. For me, I no longer care to put the effort towards making sure everything is always squeeky clean, because I realize it is a full-time job to do so. I chose a few methods and tools, and will live with the consequences that might come, if they ever do. I attempt to install tools from trusted sources. Sometimes though you find a little tool you must try, usually from some obscure corner of the net. I might turn on a firewall or hips or drop it in vmWare and do the same, or I might just run it and watch my processes. My end to security is that I am almost at an end of striving to achieve 100%.

Sul.

 

I happen to think that the average Joe probably isn't saved so much by UAC prompts - see Paper "Investigating User Account Control Practices" studies 20 users of UAC and LUA. Other UAC technologies, such as Protected Mode Internet Explorer, on the other hand, IMHO probably save a lot more people from damage.

 

I agree whole-heartedly

Sul.

 

The most insidious of the samples I tested didn't even trigger a UAC alert in the limited account. It simply installed to the user-writable directories, then worked up a full head of steam upon me rebooting. Of course it must stand to reason the UAC didn't trigger because the malware installed to non-system directiories, or am I mistaken in this assumption?

 

(my editing for line spacing)

Well, this is certainly the best summary I've seen of the difficulties encountered by security-conscious users.

It's an expansion of what I've written in the past, You trust your judgment, or a scanner, or both.

Trust. At some point we have to trust.

Another factor is Risk Assessment. I think BlueZannetti first used this expression around here. I used to say, Calculate your risks.

A lot depends on percentages. This from the NoScript FAQ, a question about the possibility of a malicious script being embedded in a trusted site:

I emphasized likely not. Since most agree that nothing is 100% sure, at some point we have to say, OK. We assess the risks and then make a decision.

Several years ago, I stopped recommending security solutions (for the most part) on the forums, because I realized that without knowing the user's state of mind and computing habits, it's almost impossible (and a bit dangerous) to advise on this or that course of action.

My own approach has been to work directly with users, in which case I can start with policies and procedures (I think Lucy has that in his signature) which are really the most important steps to start with.

See Bojan's sans.org Diary referenced in MrBrian's thread, which uses an example of one of the most permicious and widespread exploits around today, the RogueAV. The exploit starts with the user being redirected to a malicious web site, and then agreeing to install a Video ActiveX object:

How RogueAV does search engine optimization
https://www.wilderssecurity.com/showthread.php?t=275968

First, an alert user will realize she/he isn't on the site that was clicked.

Second, a firm policy in place of not installing anything you didn't go looking for nullifies the exploit from the start.

You don't need *any* security *product* to prevent this!


----
rich

 

Rich, I think you were ahead of the times, bleeding edge so to speak, ~ Removed Comment - No Need to Discuss Past Members ~

https://www.wilderssecurity.com/showpost.php?p=634443&postcount=30

Heck, you were already talking about not recommending antivirus, whitelisting and default-deny, and that's a long time ago in computer years

 

Yep, we have to trust at some point, whether it be the userland application, the OS, or the hardware.

The best way to "verify" applications is to check digital sigs and make sure the app is legitimately from who it is supposed to be from. The sig can't tell you if the app contains malware but it can tell you whether the app should be trusted in the sense of its origin. It is ultimately up to the user whether to trust the individual and/or company. Again, we all have to trust at some point (like M$ for instance. Who is to say M$ doesn't have rogues on the inside? We can never be sure 100%).

If all developers would sign their apps and if users were given an easy way to check sigs, we would see malware infections decline precipitously. Unfortunately, in the Windows world, most developers do not sign their apps.

 

Maybe some of these samples interfere with each other, and so the execution order makes a difference in the behavior noticed? I think one of the samples that I tried installed to places that a standard user can write to (which wouldn't require a UAC prompt), but also tried to do some admin stuff (which resulted in a UAC prompt); I could be mistaken though.

 

Given that you're insecure enough about the competition that you need to spell their name as "M$", of course you can't. No surprise there.

The rest of us, on the other hand, live out our lives perfectly well without tinted glasses or tinfoil hats.

 

Microsoft has a log track record of insecure operating systems that store large amounts of user data. AFAIC, they haven't exactly earned my trust. The OS can't be treated any differently than any other software. No matter what OS we choose, it's a compromise decision. Unless you're relying on vendors to take care of your security needs for you, you have to take the OS, its weaknesses and its undesired behaviors into account. I for one will not tolerate a system that constantly requires that I prove that I own it. A company that doesn't trust its own customers doesn't deserve to be trusted. If that's "tinfoil hat" material to you, so be it.

 

I'm glad for you. Looks like you stumbled on the brilliant strategy of attacking a point completely different from the topic at hand, and pretend they're somehow linked.

If you have to create diversionary targets just so you have something to bash, I think my point is pretty much proven. Cheers.

 

Well, M$ has done much evil to the world and M$ must be stopped from further achieving its deleterious hostile take over of the world. M$ is the spawn of Satan and Steve Ballmer is the son of the devil himself. Ballmer and M$ are all about the $$$$.

I look at the world through a set of penguin tinted spectacles.

 

I got a pretty simple and still relatively convenient solution for that. I use two PCs. One runs just the OS and two or three apps that are widely used and where I verified checksums/signatures and scanned for malware. It's an absolutely static system apart from security patches. That also makes it easy to lock it down tightly.
On the other system I run all sorts of random programs. It's not connected to the internet and all data transfer is over physical media. I treat it like it is "definitely" infected, it "probably" is but can't do much harm because it's isolated.

You might ask why I'm not using VMs for that. I'm not willing to take the performance hit especially since I have to run some very demanding software (3d, real-time...).

 

Just a simple ditty from a simple surfer.

Security ? It can become an obsession and does to many people. The effort and expense in search of eternal purity and clinical salvation from the bad guys can easily become a pathway to diminishing returns.

Well, each to his own I guess, but Sully has made a very economic and practical point when he states he is fed up with the infinite march towards ENDGAME.

My attitude ? Sandboxie and a good AV plus Firewall. NoScript, ABP and one or two other devices. All the rest of the spaghetti razzmatazz surrounding the unattainable goal of the absolute is not for me. Play it cool.

Not a lot of people know this - but the Pentagon do ! A disabled UK teenager hacked into the massive security of the Pentagon from his little back room ! Some security ! AND WE worry about our pitiful presence on the Internet.
For that, this poor lad is threatened with deportation and a long prison sentence. They should give him a top job !

PLEASE NOTE : The above is not intended to stray off-topic, but is given as an extreme example of how even massive security is fallible.

John B

 

I got here a little late, but here's my contribution. Based on what I've learned from my malware test boxes over time (with proper O/S and browser configurations), I will never surrender a Limited User Account coupled with Windows Security Settings. With everything properly configured, I can't purposely infect myself anymore either in the Internet or with live malware. This empowerment has been a tremendous asset since I work in an IT department with various users.

 

SSM stands for??

 

He's got to be talking about System Safety Monitor.