Anti-malware program that can shutdown

Discussion in 'other anti-malware software' started by stap0510, Feb 10, 2009.

Thread Status:
Not open for further replies.
  1. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Howdy folks,

    To come straight to business:

    I'm looking for a anti-malware-program that can shuwdown the computer inmediatly when detecting something fishy.

    I already have full disk encryption and now want to protect my system from any "live forensics".
    When the computer is down, all that is left is the whole encrypted disk that is practically impossible to crack or do anything with.
    The weakest link then becomes the state where the system is up and running and therefore directly accessible for any kind of live-forensics software to be installed.

    I want a programm that can execute a batch-file, or shutdown Windows XP itself.
    The batch-file that I've wrote contains the shutdown-command for Windows XP with some extra parameters to shuwdown inmediatly upon running that batch-file.
    But with me out of the loop: I want a security-programm to do this for me when something unknown is being run, or being run from a new place.
     
  2. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Re: Anti-malware programm that can shuwdown

    You want something very strange. OK, but what will you do after shutdown ? Sooner or later you will need to boot and ...
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Anti-malware programm that can shuwdown

    Why don,t u ask for a program that will stop/ prevent the malware in first place rather thsn just shutting down the PC?
     
  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Re: Anti-malware programm that can shuwdown

    I think he's talking about someone with physical access.
    Though aigle's reply is useful. Use a limited account, and set it up so it won't accept new executables (software restriction policies, HIPS's and so on).

    To the specific question, i'm afraid i don't know how to help.
     
  5. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Re: Anti-malware programm that can shuwdown

    Are you leaving sensitive documents unattended?
    When you are not around lock HDD in a safe with toast function (fire).

    The NSA has probably already imaged your drive while you were surfing the internet.
    Not to worry though, they won't share what they found with the FBI or CIA because it might reveal their capabilities.

    You should be more concerned with the tracking embedded in the pr0n pictures people are sharing. Traders are being actively tracked.

    Maybe you should get a 320gb Seagate HD with built in encryption and can be erased in seconds with the built in wiper. Set that up with your batch program.
    In the time they can think about reaching for the power button or pull the plug, wiped.
     
  6. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    OK, obviously my posting wasn't as clear as it perhaps should be.

    I'm trying to make my computer as secure as possible.
    When the computer is off all the data on the drive looks totally random when examined.
    But when it is on your are already in the filesystem and in Windows XP.
    A anti-malware program that just stops it isnt enough here.

    Let say your're going to the bathroom for a leak and suddenly Law Enforcement or any other aggressive adversary busts your door to take you and your running laptop in.
    When that happens the full-disk-encryption offers no protection anymore since it is on, so you dont need a password for access.
    Yes, I know that windows and other programms can still ask for a password to, but that simply doesn't cut it.
    Full-disk-encryption offers only protection when the machine is off, as it asks for a password when starting it up.
    No correct password means no access at all to the laptop with all its highly sensitive data.
    Considering that that is the best and hardest protection to have, I want to put any adversary back to that kind of protection by making switching itself off whenever something weird is attempted to run.

    So yes, for that, you'll need physical access to the machine.
    An adversary will try to run a Live CD with "live forensics"-software on it to analyse the content of the drive that is then in a open/unencrypted state.

    With a programm that notices chances of processes being run will shuwdown at once.
    When that happens the adversary is then being thrown back to the encrypted state of the harde drive, asking for a password for booting up.
    Cracking that is by any practical means inpossible.....when inplementing the right encryption-scheme ofcourse.
    When you have a anti-malware programm that doesn't shutdown, you give the adversary all to time in the world to frind and try other "live forensics"-programs to see if they can be run unnoticed.
    So then you just have a cat-and-mouse game, that is simply undesirable.
     
  7. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Re: Anti-malware programm that can shuwdown

    That is, by the physics of hard drive, impossible.
    And even with a thorough wipe can still be little fragments of data be recovered.
    Believe me, I've already looked into that.
     
  8. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    why not use system shutdown simulator :D

    It will shutdown all running malware when you press the shutdown button.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I'm more into malware but occasionally you type folks peak my curiosity, so here was one of my experiences of concealing data as though was a national secret project.

    I used TRueCrypt to make a container with the most outlandish scrambled name you ever seeen including special characters including russina + chinese. Let them try to bite on that while. This container i changed to a sys file for further concealment and not only that but change the file extensions too exe, dll, etc. supporting files. Then i hid that container inside a weird batch file i ran across onthe net that changes a foldr into any series of system files like CONTROL PANEL atteched by a random registry GUID. Done that twice for good measure, (This ws fun time for me)

    I then shoved it all into a RETURNIL virtual partition passwod protected and renamed it too.

    Too much imagination for me since i prfer to deal with battles of malware so i stopped there.

    I guess if you really wanted to dig a hole deep inside Windows to hide an encrytped section you could also bury it in another hider like Steath Mobile Disk and tuck it inside a good rootkit.

    Frankly if i have some private machine data i keep it on a USB Pen you can slip in a cigarette case. :D
     
  10. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    I don't want to hide anything.
    I want an anti-malware-program that can shutdown on itself whenever it detects that there is something of.
    First, the adversary ofcourse has physical access to the laptop.
    Second, I'm not there or being hold by the adversary, unable to shutdown the machine in time myself.

    So this really has to be an automated process, with me being out of the loop.
     
    Last edited: Feb 11, 2009
  11. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    So you're meaning, once your computer is locked and you're away from it, any attempt to log in, you'd like your computer to completely power off and shut down?

    Your request is a unique one.

    But I could state the obvious and say, shut down your computer whenever you know you're going to be away for even a few minutes. Or take your laptop with you, into the bathroom or wherever if you're worried about someone accessing it.

    Otherwise your best bet is to search www.download.com where there are heaps of programs.

    This one can shutdown your computer at a certain time, from a countdown/timer, or by CPU usage. Which I'm guessing could shutdown if someone was to start logging in or accessing your drive.

    Download/author site
    http://www.download.com/Rs-Somnifero/3000-2094_4-10220554.html
    http://www.ricosoftware.net/en/index.php?pag=somnifero.php


    This can shutdown when internet is disconnected:

    Download/author site
    http://www.download.com/GreenShield-PC-Auto-Shutdown-Software-/3000-2094_4-10545346.html
    http://www.nayaab.net/index.html?pc_auto_shutdown_software.htm

    Some more shutdown tools:

    http://www.softpedia.com/get/System/Launchers-Shutdown-Tools/PC-Auto-Shutdown.shtml

    http://www.softpedia.com/get/System/Launchers-Shutdown-Tools/Auto-Shutdown-Manager.shtml

    Plenty more in this list:
    http://www.softpedia.com/catList/117,0,3,0,3.html
     
  12. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    A slightly different approach.

    The root of the problem appears to be content protection from unauthorized access by a compromised process or compromised physical security. Secondarily, the concern seems most focused on when the end-user is away from the computer, presumably because the presence of the end-user can offset the risks from a compromised application, which is reasonable given an advanced user with the right tools.

    Full disk encryption adds no value to the case of the compromised process because the convenience of this function does not provide for rigorous authorization and authentication as to what may access what. So, in short, any process may access any file or directory within the host per full disk encryption, generally.

    However, there are offerings, such as from Mobile Armor, that support two or more different encryption keys. One applies to the 'full disk' and a different one or more to select directories/drives. I've recommended this to customers with realistic concerns about organized crime or other influences compromising their IT personnel to access sensitive content. My company has been involved with some very 'intense' organizations. ;)

    This scenario requires the computer end-user to possess a second possession factor such as a USB device (unless a multi-key device would work). Access to 'sensitive' content requires the USB device.

    I did not consider Mobile Armor with this use-case in mind. So, I do not know if they have an option that causes an authentication challenge for each attempted access to 'sensitive content'. With this inconvenience in place, the 'intrusion' must occur with the aide of the end-user.

    As for law enforcement or any other physical intrusion, if they possess that USB device intact, game over!

    Cheers,

    Eirik
     
  13. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    That's why I use TrueCrypt for my full-disk-encryption.
    When using AES in combination of a large password with letters, letter in capital, numbers and symbols it is by any means impossible to crack.
    Everybody stating otherwise has to prove this to me, because then that person would be the first to accomplish this in the whole world.

    Second:
    I know that the soliution that I'm seeking is unique.
    That is also why I'm asking it here, because with search engines I didn't find anything usefull.

    So I wantsomething that:
    - Detects when (live) forensic-software is being run.
    This could ofcourse be run from a USB-stick such as Helix, or from the CD-player.
    - Upon detection executes a system-command itself or run a batch-file with the shutdown-command specified with some parameters.

    Then the laptop is off.
    When booting up the laptop, the encryption kicks in and asks for a password.
    Just to be clear: I'm not going to argue about the strength of Truecrypt-passwords who are quite lengthy here.
    If I don't give my passwords to others, Law Enforcement (or any other formidable adversary) doesn't stand a chance.
     
  14. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Authentication strength was not the point of my post. Sometimes the root problem might better be addressed by a completely different remedy than initially considered.
     
  15. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Again, back ontopic please.
     
  16. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    I have come to think about it and think my question is to narrow.

    Here are the problems my initial question is not adressing:
    Although it is a possibility that Law Enforcement will use additional Forensic Software, it doesn't only have to be that case.
    They, or others, could also just be copying files to their USB-stick or change things to my systems without installing anything.

    So, after some thinking, my really bigger problems are:
    - using foreign removable devices, such as a USB-sticks
    On the other hand I do already use one USB external drive.
    So that should be accessible, an can therefore also be misused.
    The current external drive could be connected to my laptop, then be cleaned from encrypted container-files, to then copy all my confidential files unecrypted to that external drive.
    Here we have no issues with additional software.

    - Not installing additional software, but just copying my stuff to my own familiar external USB-drive.

    The more I think about it, which I do allot lately, the more I think that I just need to shutdown the machine myself as soon as possible.
    I think that practically what I'm looking is impossible to make.
    One could think of some sort of authentication-token through which I gain access.
    But if my door is being busted, that doesn't really help me to.
    LE, or other adversaries, can always take the token form me.

    Although not a comforting answer, I now do think that there is no real practical answer to it. :'(
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Maybe useful for you? Maybe not.

    Batch File that closes any entry to USB Slots. Uses the registry to switch ON/OFF, i use it occasionally to test units.

     
  18. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    EASTER,

    You're missing the commands for the enable and disable sections. That batch file does nothing except pop up a message asking for your choice.
     
  19. Martijn2

    Martijn2 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    321
    Location:
    The Netherlands
    As far as I know Drweb has (had?) a function where it can shutdown the computer if it detects a item.
     
  20. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    What I've done last weekend is creating a simple shortcut on my desktop to Shutdown.exe.
    That's a file in the system32-folder, on XP.

    Then I've changed the command-parameters to the following:
    "C:\WINDOWS\system32\shutdown.exe -s -f -t 0"

    Then I also made a shortkey of "CTRL + ALT +M"

    So when I press these three button together at once, my system will shutdown alot quicker than holding the OFF-button 3 seconds.

    Try it out yourselfs :D

    What I still could do is ask Faronics or the makers of Zemana and ProcessGuard if they have such a feature already, or that I can set something up with their software to make this work.
    The red line throughout this is the fact that I'm looking for a niche product in an already niche-market.
    Chances are that no manufacturer sees any money in making something like this....no matter how awesome it would be.
     
Loading...
Thread Status:
Not open for further replies.