Restricting execution from user space

I noticed that you removed the word "tight" from your description of autorun control. Is that because there are other holes not covered there?

I also didn't quite follow the description. The picture shows you just modifying the HKCU\...\Windows\CurrentVersionRun permissions. Are you suggesting this needs to be done for every HKCU key? Or just the ones listed by SysInternal's autoruns program? I take it some parent permission can't be set that will just propagate down to the individual entries :S

 

Sharp remark


Removed tight, just because it describes a value from the writers point is view. Tight is relative to the security one needs, so not relevant to other readers, that is why I have removed.

Only follow the process for the HKCU entries mentioned in autoruns. This has to be done for the highest level mentioned in autoruns only.

 

I have more questions

1. So would you describe autoruns as listing every known startup location then? e.g. compared to this list
2. What about the HKLM stuff?
3. How many security apps do you know of that monitor autorun locations (either hooking or polling) and have such a complete list? Pretty much all the popular ones now, or not really?

 

HKLM is protected by UAC. So focussing on the HKCU entries of autoruns would be sufficient and most relevant (since it is a Microsoft tool) to your OS version (x86 or x64).

Most FW+HIPS have autoruns covered (Comodo, Malware Defender, Spyshelter, Online Armor, Outpost), also policy or virtualisation software like Sandboxie, DefenseWall, BufferZone, GeSWall have them protected in their containment setup. Polling based registry coverage of autoruns is more intrusion detection than intrusion prevention IMO.

 

Re: Restricing execution from user space

Hi Kees can you show us the registry keys to change to disable command and scripts?

 

See pic, you are on ultimate, easiest done through group policy

 

The reason I am so interested in this is that I want to update TinyWatcher's registry list for Win 7 64-bit. It seems grossly deficient out of the box.

The reason for this is that I don't want to run real-time security if it can be avoided, so I prefer to poll for changes on reboot, and clean up if necessary. I wish I had access to the registry list that the aforementioned HIPS cover (do any of them have some plaintext database they draw from??)

Autoruns I can see does not have quite all of the bases covered in TonyKlein's list, but that link has a few dubious/outdated things in there as far as Win 7 64-bit is concerned, from what I can see. I am actually in the process of comparing his notes to Autorun's results and seeing if I can come up with a list that I'm comfortable with.

I noticed your list here but it sounds as though it was just intended for Win XP.

 

Thanks for suggestion kees, but exe radar free works perfectly fine but will look at XYVOS antivirus and come see how it does.

As of now, I am protected with SRP, exe radar free, windows 7 firewall control, results in solid setups.

 

Well Comodo has a good autorun analyser. It covers the same as D+ HIPS, so that would be an easy option (also ability to save current entries). Comodo Autorun analyser plus HitmanPro would provide more than enough autorun protection.

That post was indeed for Win XP.

 

I'll look into Comodo then, thanks. What makes it good in your opinion, is it just that it's rare to have a transparent list, or that the list looks comprehensive, or that you've seen some results somewhere?

In my attempted comparison of autoruns and TonyKlein's lists I came to the conclusion that there are a ridiculous number of registry locations that can be used to get a back-door execution (i.e. not just on system start) that it would be more practical to either allow a particular application

a) zero registry access
b) any user-level registry access
c) any admin-level registry access

I don't know much about the registry as far as day-to-day operation of most programs.... if I completely blocked registry modification for "threat gates" like MS Office, Media players, browser, mail client etc, would they still be able to run? Are there particular registry areas that are needed for most normal programs, and are these completely safe to give potential malware access to edit?

 

Melf,

UAC protects HKLM part. The excutable locations which malware could hide in HKCU entry points can be easily removed by most AV's, so the real threat impact of all those entries is limited.

Also most AV's have checks on registry access and behavorial analysis for trojan's (for example after AVG bought Ewido, it also monitored registry key access, after AVG bought Primary Response Safe Connect it also monitored malware survival after reboot).

The Windows autoruns is a fair collection of autostart entries which have serious impact. When you tell it to show empty keys, it is failry tranaparent. Comodo AutoRun analyser checks an in-depth list and checks its AV for known malware. So you don't need to figure it out yourself (that is why I like it), also it has an option to save a scan, so you can compare it with future scans (to detect changes). I like this save-and-compare option of both autoruns and autorun analyser.

Happy hunting