Disabling Dangerous Files?

I'm trying to harden my system by deleting or renaming questionable files.

One of the files in question is FTP.exe.

A few questions I have...

1. Is FTP.exe commonly used in Windows exploits?

2. Do any third party applications need FTP.exe to function properly? Applications such as Internet Explorer, or do they have their own built-in FTP functions?

3. Would disabling FTP.exe or any other files help strengthen my system? Or would these files be dropped anyways in the event of an attack?

Your thoughts? Thanks!

 

Hello,

If and when a file is used / executed on your system without your knowledge, it means your system has been infected. This applies to any file. Therefore, disabling / deleting / renaming them is dangerous - you could end with an unbootable / crippled system.

If you mean by FTP that you run an FTP server, that's a different story entirely, but this is the case here.

Leave the files as they are. You should use a firewall and make sure that you do not locally execute malware.

Mrk

 

I disabled the kinds of things you are looking to do by renaming them years ago with no problems. This would stop malware from making use of them if they tried to, so I think it is a good idea if you don't use them. Afterwards you could also create text files with the same names as the ones you have renamed, and place them in the same locations as the genuine files with the newly named extention.

For example FTP.EXE renamed to FTP.OLD a new text file FTP.txt created then renamed to FTP.EXE You could include some text in there to remind you what it is and why etc.

Another one to rename is TELNET.EXE and there are lots more if you wished to. Not just EXE's either but DLL's too.


StevieO

 

Hello,
And what if you need ftp and telnet?
Mrk

 

Well...I know for sure that I don't use Telnet.

However, I'm not sure about FTP...

Does IE use FTP.exe to upload/download files? Or does it have it's own built-in FTP functionality?

The same question goes for malware. Do any of them use/need Windows files such as Telnet.exe, FTP.exe, etc. to operate? Or, do they have their own networking capabilities?

 

I have removed files like ftp & telnet in XP and I had no problems, eg download from FTP.
I would like to do the same in Vista, when I have time, I will look for some dangerous files.

 

Hello,
FTP is also for upload. Besides, when you download via the browser, you're not using the ftp port on your computer, you're using the browser. Besides, both telnet and ftp are services, usually on manual or even disabled. So there's no need to kill the files. At worst, you can use Group Policies to prevent access to these tools or restrict them.
Mrk

 

Argh, you are right (screen), well I will just have to do a clean instal again to get it back.
Problem with GPO is, that its settings can not be backed up so easily like security templates.

 

disabling is generally a move to "break" automated malware that might employ the files to spread or function, the alternative is to simply monitor the files (object auditing in the OS would show access or filechecker would show changes to the file itself)

the ftp.exe can be employed by several applications including Windows Update and is one of the files Id be more inclined to simply log than actually remove\rename

If you do disable it make sure your AV, Firewall, ect are able to update still.
And yes ftp is employed by malware quite often the initial infector using it to download a larger payload

you can check \ restrict its NTFS permissions then test its still able to do what you need (for instance Windows Update) this may or may not effect the ability of the malware to employ it

keep good notes and test functionality as you go along
dont rush it if this is the first time your hardening an OS for your usage pattern\aps
too many changes at once may leave you trying to figure out which one broke which ap

most automated tools are rather lean, and dont bring along a lot of replacement files, relying on default permit, while an actual intruder can figure a ways around this stuff once into your box, its really a poor return on investment for them unless your sitting on top of a credit card database. The probabilities of a real honest to goodness haXor in your box is vanishingly small (unless he's found out about your massive p0rn collection )

 

Thanks everyone for your help!

 

Besides ftp.exe, tftp.exe is another that's often used by malware to download further payloads.

However, there's a problem with simply deleting/renaming these files in that Windows file protection may simply replace them. Better to restrict their usage with policies.

 

You mean with Group Policy Editor? I'm using XP Home, so I'm not sure if I have this option.

I'm also trying to harden some 98SE systems of mine as well...

 

R. Click on file and select properties > Security tab and remove execute priviledges.

IMHO 98SE machines shouldn't be connected to public networks any longer as they're no longer supported. Therefore, they shouldn't be at risk in the first place. Time to upgrade.

 

Hmmm, that doesn't seem to work, I'm using XP Home...

 

Wouldn't it be simpler to install something like Process Guard, then you would have complete control as to whether these progs ran or not.

 

Oops, sorry - those permissions are only available in XP Pro.

 

Can you not just create limited user accounts for day-to-day activities; steer clear of the 'darker' places of the web; don't download and execute any file you don't trust completely; don't open attachments to emails and only view emails in plain text; install a software firewall and an anti-virus (and ideally a hardware firewall)

That would seem a more prudent policy than deleting system files that may be needed by the OS. Also have a look at the services running on your system, many of them you don't need, so just disable them.

All these security products are all very well, but no substitute for an aware and careful user

 

Contrary to popular opinion and what Microsoft would have you believe, Win98 can be sufficiently hardened and secured for internet use. The Win98 CD has a policy editor that isn't normally installed. It's somewhat different than the policy manager for XP.
Instructions for installing poledit98 here.
More info on using poledit here.
Poledit98 is also available for download on the above link if you don't have the 98 CD.
Rick

 

I agree 100%.

Thanks for the link...