The irrelevance of Applocker / relevance of SAFE admin tweaks

Now, thinking better, I believe I remember seeing a Temp folder within my profile, which is placed at Desktop. But, for whatever reason, Chromium seems not able to create this Temp folder, despite the fact the profile is set with Low IL as well. Crazy, crazy...

 

OK.

As I mentioned, I cannot start Chromium via the EXE file; nor via shortcut. Considering, since the start, I've been running Chromium through a batch file with customized settings, I never gave much importance to this.

So, resuming: I'm able to start Chromium through cmd line (batch file), which runs with an inherited Medium IL. Otherwise, I simply can't.

This beats me why would Sully be able to run it by clicking the EXE or using shortcut; I assume you do it this way?

It also beats me how you're able to download anything to a Low IL folder, without adding a Low IL to the Temp folder. I haven't set the Temp folder with a Low IL, because I don't know what colateral damages would that make to other applications making use of such folder.

Since most would run with an inherited Medium IL, they would access the Temp folder without issues. Makes sense. Still, not sure I want to go down that road without proper testing.

Edit: C:\Users\<username>\AppData\Local\Temp has a default Medium IL. But, any object running Low, should be able to write to C:\Users\<username>\AppData\Local\Temp\Low, which comes with a default Low IL. I'm guessing that Chromium with an explicit/mandatory IL of Low cannot write to this folder, unless this Temp folder gets an explicit Low IL?

Well, I'm heading toward a virtual machine and test stuff over there. If I manage to make it work, it works, if it doesn't, it doesn't.

 

OK.

So, I already tested it in a virtual machine, and to be able to download I had, indeed, to set Temp folder with a Low IL.

Now, the remaining doubt is: Will this, somehow, provoke collateral damage to other applications that make use of the Temp folder?

This leaves me to decide the following, for both security and usability, for as long as I try to understand what an explicit Low IL to the Temp folder will provoke to other applications:

* Due to the security bug Sully came across with Chromium/Chrome/Iron/etc related to the child processes having Medium IL under certain conditions, I'm running (already was) Chromium with an explicit Low IL. My user profile, which is at Desktop, also has a Low IL. But, not the Temp folder; so, I cannot download with Chromium. As a work around, I'm making use of a download manager. It works for those links where you just have to right-click it and the download manager intercepts it. I haven't tested for downloads within javascript code. But, I'm guessing it would have the same effect, as long as the download manageris able to intercept it.

* I have my Profile folder with an ACE that prevents writing to it.

* Basically, this profile cannot write to anywhere.

This leaves no door to infections through the browser, when using this profile. If it can't write, at all, no damage can happen.

Now, and this is something I still haven't tested deeply, but when I, sometime ago, did some testing, I could not take away the low ILs of objects, if took out of a Low IL folder. The only option would be to moved them into a Medium IL folder.
It came to my attention, moments ago, that using chml, it is possible to remove the labels. This way, the object would inherate a default Medium level. (Considering a standard user account, or even Admin with UAC; Admin without UAC would be a High level.)

When we download something, if even we take it away from the folder, it's something we meant to download, so it's something we will eventually trust. I see no problems with this?

What do you guys think, if setting Temp folder with Low IL, so that one can download with the browser, of setting the Downloads folder to Low IL, NoReadUp, NoExecuteUp and NoWriteUp?

NoReadUp is necessary, because, despite the fact a low object cannot create to higher or modify higher objects, it still can read data.

Then, simply remove the labels, when you wish it so, by, perhaps, drag and dropping the exe to SAFE-Admin?

Share your thoughts on this.

 

Moonblood,

Let me first tell you that I appreciate very much your contribution in the development of Safe-Admin.

My 2 cents

Lowering a directory in right should noy have impact on other programs. UAC blocks lower accessing higher, so lowering one could not do any harm.

I think I have found a way to add USB protection also to Safe-Admin (I am the lazy one, just bringing in concepts and ideas, Sully does all the hard work while sparring on implementation with Moonblood ).

I think we have established a transparent way of working with safe-admin. Maybe we should wait until Sully comes with his first alpha release. I hope you will be able to assist us with power user testing.

Regards Kees

 

I think the UI has most of the ideas needed. As this developed and the ideas were going different directions due to learning more about the mechanisms, especially Integrity Levels, there became a need to know what would work and what was speculation. Right now I am testing all the things we think we have decided on to see how it works in a default environment, which aspects will be of value, which ones won't. So you could say that we are working on the actual 'inner workings' of the SAFE project.

Correct. The temp directory isn't needed to have Low IL. In fact, which Chromium, setting Chrome.exe to Low IL is all that is needed, at least if it lives in %programfiles%. To download files, I only had to set the Downloads directory to either Untrusted or Low IL. To save preferences, I had to set %userprofile%\appdata\local\chromium to a Low IL.

The collateral damage would be that another Low IL process would then have permission to write/delete to that directory. Processes running at Medium IL would not be impacted.

I could start Chrome and Opera from either the desktop shortcut or the actual .exe. No issues as you state at all.

Using SDDL it is simply "file",2,"S : P". Some other combinations are needed for directories or all objects in a directory. Chml does the same thing, but not sure what mechanism is used. An SACL follows a file when you move it. If you copy the file and paste somewhere with default IL, the copy of the original has no SACL, so it gets whatever it is told to from the directory you copied it to. This is normally nothing, meaning an Implicit Medium IL from the OS.

No problems, correct. However, there is a difference IMO. I can MEAN to download something, but that doesn't MEAN it is not infected etc.

The NX applied to a Low IL area will prevent lower ILs from executing it. So an Untrusted IL could not execute an object with a Low IL + NX flag. Not what we want. To use it we want the objects that are downloaded to have a Medium IL + NX. In this way the Low IL browser process could not "execute up" the Medium IL files that were downloaded. The problem is that there is no way to tell the Downloads directory to have the Low IL needed so that you can write to it while also having it apply a Medium IL + NX to the files downloaded into it. If you download a file, apply a Medium IL + NX flag to it, you can still execute it from a Low IL process if there is a manifest. The manifest is examined and then uses UAC to elevate it. So in theory, an infected type of file that has a manifest can bypass the NX flag. Now what do you rely on? The UAC prompt will come up saying this program wants to modify or whatever. Your NX flag is bypassed and when you click OK on UAC whatever the file wants to do happens.

The NW flag seems to only apply to files only. Setting the NW flag on a file prevents lower ILs from writing to it. I have tried and tried to set the downloads directory to Medium IL without the NW flag. It can be done easily. But no matter what combination I use, a Low IL cannot write to a Medium IL directory, regardless of what flags you use on the Medium IL dir. I had hoped the fact the the NW was missing from the downloads directory would then allow a Low IL process to write to it, but I cannot achieve that.

This stuff is what will go into the alpha. While I have a good overall concept of the UI now, I need to know what to do with our targets, such as chrome. So this testing is not only useful to understand, but serves to help me know what changes might need to be made to the UI from the findings.

Sul.

 

Here are a couple options that might interest someone regarding the zones and downloaded files.

http://support.microsoft.com/kb/883260

Sul.

 

Yep does not write the ADS info. The ADS info is also used in combo with the IAttachmentExecute-API by AV's like Avast. See f.i. my lean Avast setup. Even while Avast does not check on execution (only on write) it still checks execution of downloaded files.

Regards Kees

 

Here is a small tool for an example of the context menus for SAFE. This is alpha version 1.0.

The defaults are to place the program (SAFE_a10.exe) into the root of c:
The registry file should then be merged. If you feel like placing the application elsewhere, you must modify the registry values to the correct path. !! don't forget in the .reg file to use \\ instead of \ on your paths if you change it, else it won't work !!

This application and registry file will create a small context menu titled SAFE. You will then have the option of flagging a file to RUNASADMIN, RUNASINVOKER or to remove it.

This is alpha version, and meant only to get feedback on how it is implemented, on how the text is displayed (does it convey the message as to what is going on) and in general to feel out what others see in it. It is not, to my knowledge, UAC compliant. It is designed to be used in "quiet UAC mode". You may have to add a RUNASADMIN for the SAFE_a10.exe itself. The SAFE project will itself be UAC compliant, but this is only a code snippet and not subject to the same practices.

I am also wanting to know peoples thoughts on whether these types of registry settings would be better in HKCU instead of HKLM where they are currently located.

www.mrwoojoo.com/safe_admin/SAFE_a10.zip

Sul.

 

To anyone interested, I have quite a bit of the groundwork laid out now. I discovered though that the cascading context menu I was using only works with com in win7. Vista/XP will not work like I had planned. I am now going to play with ATL and create a shell extension.. I think. Anyone here work with VisualStudio 6 and create shell extensions before? I have some good articles on it, but a wrapper would be so nice

Depending on how long it looks like the shell extension foray might last, it is possible I will get a version out with a context menu that is NOT like I want, but works. Life has a funny way of demanding my time when I least want it to, like when I get into code like this. Getting sidetracked blows.

Sul.

 

I hope mods will agree with a thread in other anti-malware software, when Safe-Admin launches beta

 

I managed to get a basic shell extension built, but it is because I found a good guide and wizard. I am not well versed in com/atl, so what I have planned is of course not simplistic. The time I have to devote to c++ is limited, so I have an alternate route. I really don't like the aspect of not doing everything 'in house' myself, as a matter of fact, I loathe it. But, to get this to work the way I want on any version other than win7, I have to make a concession. This does not even address creating a 64bit handler.

I found a dll that will work with me and do what I want. 7zip uses it, as do a few other recognizable utilities. It also comes in both 32x and 64x flavors as well. In win7 I could utilize some new registry parameters for the context menus, meaning there would be no dependencies. Using this route, whether I create my own or use an existing one like I found, I must use a dll. Not as clean as I would like it, but the functions that can be implemented with it are worth it IMHO.

Anyway, it looks like with a little tweaking I can have a cascading context menu to house what I want that seems to work just fine. I will start creating this portion first, then let whomever test it, and go from there before attacking the UI portion.

Sul.

 

Here are some screens of the initial layout for the context menus. One set is for files, the other for folders. This would be an advanced context menu. A basic version would have only a few options and no submenus.

www.mrwoojoo.com/safe_admin/file_context000.jpg
www.mrwoojoo.com/safe_admin/file_context001.jpg
www.mrwoojoo.com/safe_admin/file_context002.jpg
www.mrwoojoo.com/safe_admin/file_context003.jpg
www.mrwoojoo.com/safe_admin/file_context004.jpg
www.mrwoojoo.com/safe_admin/file_context005.jpg
www.mrwoojoo.com/safe_admin/file_context006.jpg
www.mrwoojoo.com/safe_admin/folder_context007.jpg
www.mrwoojoo.com/safe_admin/folder_context008.jpg
www.mrwoojoo.com/safe_admin/folder_context009.jpg
www.mrwoojoo.com/safe_admin/folder_context010.jpg
www.mrwoojoo.com/safe_admin/folder_context011.jpg

Opinions?

Sul.

 

Put a little more explanation in the context?

Acces Control List
- Set Deny Execute
- Remove Deny Exec.

Application Compatibility
- Run As Administrator
- Run x32 Virtualised
- Remove (run setting)

Enhanced Mitigation
- Add to EMET2 protection
- Remove from EMET2 list

Integrity Level (rights)
- Low (Protected mode)
- Medium (LUA = basic user)
- High (Administrator)

Internet Zone
- Block (Download/Execution)
- Unblock (Remove zone info)

Above are the menu and (-) sub menu descriptions

 

An experience level suggestion see pic

 

Yes, more descriptive wording is a must. I wonder how descriptive to make it, in order to keep it short for space. As well, I wonder if technical terms are more appropriate or laymans terms.

And yes, the screens are from what I would/could possibly think to include. Those grouped without submenus, as you indicated, are more in line with a basic mode.

The shell extension seems to be working fine. A little archaic in the syntax it uses, confusing to look at, but manageable I believe. I am wondering now about using overdrawn icons on it. It is an option, but I would either have to use an icon from a dll (I think it allows that) or I will have to include the icons in the safe program or the safe UI program. Is a picture worth a thousand words in the case of a context menu?

Sul.

 

It is, but don't do it now. A good pictogram system design takes a long time by very specialised people. So it is more the geek in you who wants to explorer that possibility. I am not confident it is possible to design a set of clear icons/pictograms in such short notice.

Regards Kees

 

I second that !! Sully, i would suggest you to keep this as it is.

 

I was not meaning to replace the text with icons, although that would be nice to do. I meant you can put icons next to some/all of the context menu entries. It is an option to use if I were to wish to do so, I only need to enable it. I understand what you guys are saying, and I agree

Here are some tests regarding the ADS (Alternate Data Streams) and the 1806 registry value.

Code:

[B]Zones[/B]
0=local machine
1=local intranet
2=trusted sites
3=internet
4=restricted sites


[B]URLACTION_SHELL_EXECUTE_HIGHRISK (0x00001806)[/B]
[I]Internet Explorer 6 for Windows XP SP2 and later.
Determines whether launching dangerous files
(file types known to be used by viruses and other malicious code)
is permitted from the URL security zone.[/I]

[B][I]1806 parameters from MSDN[/I][/B]
0x0 = action allowed
0x1 = user is prompted
0x3 = action is denied

[SIZE="3"][B]TESTS - settings of 1806 and reactions[/B][/SIZE]
note - using default win7 install with IE - UAC is off

[B]Download file from internet[/B]
@ 0x0 download is allowed, no ADS present
@ 0x1 download is allowed, ADS zoneid=3
@ 0x2 download is denied with message
@ 0x3 download is denied with message
@ 0x4 download is denied with message

[B]Execute downloaded file from internet (execute locally)[/B]
@ 0x0 execution is allowed
@ 0x1 execution is allowed with prompt
@ 0x2 execution is denied with message
@ 0x3 execution is denied with message
@ 0x4 execution is denied with message

[B]Execute file from internet without saving (execute remotely)[/B]
@ 0x0 remote execution allowed with publisher rules prompt
@ 0x1 remote execution allowed with publisher rules prompt
@ 0x2 remote execution denied with message
@ 0x3 remote execution denied with message
@ 0x4 remote execution denied with message


[B]Download file from lan[/B]
in all cases, lan download is allowed with no ADS present

[B]Execute downloaded file from lan (execute locally)[/B]
in all cases, executing local file from lan is allowed

[B]Execute file from lan without saving (execute remotely)[/B]
@ 0x0 lan remote execution is allowed
@ 0x1 lan remote execution allowed with publisher rules prompt
@ 0x2 lan remote execution is denied silently
@ 0x3 lan remote execution is denied with message
@ 0x4 lan remote execution is denied silently


[B]downloaded files have ADS present[/B]
test each zoneid value [0 - 4]
against each 1806 value [0 - 4]

[I](the value zoneid is what is used in blocking/unblocking a file downloaded from the internet, when implemented)[/I]

[B]zoneid @ 0[/B]
@ 0x0 execution allowed
@ 0x1 execution allowed
@ 0x2 execution allowed
@ 0x3 execution allowed
@ 0x4 execution allowed

[B]zoneid @ 1[/B]
@ 0x0 execution allowed
@ 0x1 execution allowed
@ 0x2 execution allowed
@ 0x3 execution allowed
@ 0x4 execution allowed

[B]zoneid @ 2[/B]
@ 0x0 execution allowed
@ 0x1 execution allowed
@ 0x2 execution allowed
@ 0x3 execution allowed
@ 0x4 execution allowed

[B]zoneid @ 3[/B]
@ 0x0 execution allowed
@ 0x1 execution allowed with prompt
@ 0x2 execution denied with NO prompt
@ 0x3 execution denied with prompt
@ 0x4 execution denied with NO prompt

[B]zoneid @ 4[/B]
@ 0x0 execution denied with message
@ 0x1 execution denied with message
@ 0x2 execution denied with message
@ 0x3 execution denied with message
@ 0x4 execution denied with message

I should have a small tool up today hopefully that some can run. It will make sure in different circumstances that SAFE can read registry values, and displays what it found. The concern is the differences between vista/7 UAC, and how this might effect things. The tool is only to verify if in different circumstances it reads and returns values, and also to see if values don't exist for some reason when they should.

Sul.

 

Here is a small test tool that needs to be ran on different versions of vista/7. I have vista ultimate on wifes machine, and 7 ultimate on mine. I need to see what happens.

www.mrwoojoo.com/safe_admin/reg_test.exe

This should prompt the UAC to come up for admins rights.
Two windows will display.
The first will look for UAC settings and SEHOP/driver installation settings.
The grid shows the parent key, the key name, the key type, the default value (as per M$) and finally what it found in the last column. If the found value is null (blank) then that key does not exist.

The second window shows a grid with the app compatability reg values. It might be blank, or might not. This is a secondary test that I threw in because I wanted to see how many had values in there that they did not know about. On many machines it will give a blank result because the key does not exist yet or there are no values. This would not be a concern either way.

If you could, post back what OS you used it on (which flavor) and what names had null values found. Also if you have not modified your settings, if your found values differ from what should be default. Some of the UAC settings declare a different default for home vs. enterprise editions, but not all are stated.
Thanks.

Sul.

 

Sully,
I'm using Windows 7 Home Premium 64 bit.
SessionManager\Kernel, Driver Signing, and Internet Setting\Zone\3 all had a null value. My settings definitely have been modified.
I'm looking forward to your little app! By the way, the context menus do look good, but I'm in favor of Kees suggestion (more descriptive).
Allen

 

Sul,

I think it is time to move to other anti-malware section to increase exposure


Remember for consentpromptbehaviour Vista has other defaults, so I would suggest 2 columns

I have my driver signing here (vista x32 business), set through GPO

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing

 

I missed this part over here.

How did that work for you?
This behavior (lack of installer recognizability) seems to only work with installer without the manifest file. If you double-click a file with the manifest file, then UAC will auto-elevate it. If it lacks it, then the behavior you make mention happens.

 

I was wondering about this a bit. I 'think' I have notice in my experimenting, that if I set UAC to quiet mode, only programs known or signed (something) are allowed to run without a prompt. Or maybe it was under default UAC, have played with a lot of settings.

Anyway, I am pretty certain that if I installed a program that required admin, I somehow got UAC to approve M$ related programs (like cmd or .msc) without prompting, but on any program not 'verfied' I had to approve or 'RunAs'. I can't remember exactly.

Anyone know about this?

Sul.

 

This is not related to alpha version of SAFE-Admin.

Is anyone able to change integrity levels for Windows Media Player on Windows 7 (Maybe Windows Vista as well.)? I'm not allowed to. It gives me an access denied message. It seems to be protected. Not sure if UAC has a play role here.

This makes me wonder if would be possible to change ILs for Windows Live Mail for example. I'll give it a try, though.

VLC Media Player runs fine with Low IL. Only setting vlc.exe with Low IL and %AppData%\Roaming\vlc with (OI)(CI)L

 

You are trying to place all internet facing aps in low rights world Thanks for trying