AntiX: is it for you?… dispelling the fear of malware

Re: AntiX: is it for you?… dispelling the fear of malware

My point is there is a growing trend among users of PG and similar products to quote some tech article about the latest worm,trojan,keylogger and then add a comment that 'antix' capability* of PG will protect them.

The underlying assumption of the poster I think is that the malware will be using some kind of unknown exploit (buffer overflow maybe?) to autoinstall without any user interaction. But as mentioned before ,in most cases, that is not even close to the truth.

Such exploits are extremely rare and valuable, and chances are the latest malware that is being discussed while interesting technically in some way, utilises no such exploit and as a result still requires user interaction (typically self-execution ) to get installed.

And in such cases, only user awareness can save you

* Other functionality of PG might save them of course, but of course according to some that isn't REALLY proactive. Neither is RD according to the same view.

 

Re: AntiX: is it for you?… dispelling the fear of malware

Well agree with your point Pollmaster that no amount of the greatest software will protect the ~blind~ user.

But in the same time I think PG is the single greatest piece of security software to date. With the proper utilization it's almost a 100% guarantee. With a limited white list, all the global protections enabled, block changing exe's and PG locked it's pretty much unbeatable ... running under a limited account goes a long way too (but under those conditions even running an admin account is safe). But even when that environment needs to change (ie. software installation) there are other measures/protections in place. Between your AV/AT, apps like RegRun and you still have PG's exe control (which would prevent any further rogue processes form running without user permission) should something go awry, one can easily undo whats been done ... even when it comes to installation I don't disable PG, I leave the exe and global protections active, if an install requires a driver/service installed, usually the installer will prompt you to the fact that it failed and you can adjust PG according, even if there isn't a prompt a quick look at PGs log or flashing systray icon will highlight that fact ... and you can easily re-install over top. I believe imaging is also a key, I have few hundred gigs of extra drive space, so taking an image prior to any installation is something I always do, with no exceptions - which is a really easy rollback should the worse happen. Now I know this is just a basic overview of how my systems setup/utilized (I could go on and on and on ) ... there's a little more to it of course ... because like you and all the regulars here, security is my hobby too.

If I had to class myself, I'd say my net activities are fairly high risk, between P2P (mIRC), venturing to the dark side of the web (and no I'm not referring to porn sites), and checking out links posted here etc. ... I think just that would put me in that class. But I've still have never been infected with anything. But you're absolutely right; it does for the most part come down to the users actions, common sense, and knowledge of your security apps ... if you're not careful you can get burned.

With that said ... PG is the one app I wouldn't ever be without. I think it's the strongest link in the armour bar done (I would like to see some small improvements to it though ... but as is; it's still the best preventive protection out there).

Honestly - PG paired with a solid AV, firewall (both hardware and software), RD to block the some of the common attack vectors for malware, and a good imaging program - You're pretty set to go. Add an AT, a script-defender, a web filter like proxomitron, it's even tighter ... add few other layers it becomes near impossible to fall victim.

It is all about layers, and I think PG and the like are the strongest link.

Regards,

Steve

~Sorry I rambled on ... I hope this is coherent ... I'm a ~little~ tired.~

 

Re: AntiX: is it for you?… dispelling the fear of malware

Or One who has too much faith in software without any understanding .

I wouldn't take the hyperbole so far.

I haven't tried it yet, but I suspect a limited account with proper restrictions to files and folders + PG (is this possible?) would be truly unbeatable with the former covering files and folders an area, PG does not touch.

I agree with this except the value of exe control when the environment needs to change.

Fun hobby isn't it? Not everyone has the same hobby though.

I'm think it's by no means a "must have", but it's somewhat useful, except for exe control which I think is the least useful of all the functions in PG.

 

The examples I gave were based on exploits known to me.

1) Copying across a network. I used rootkit as a demonstration, since that's the latest and greatest, but know of an instance where a keylogging program was installed across a network at a school. With AE installed, that could not have happened. (I assume PG, but could not test that)

In this same instance, a successful deletion of an AV program was done across the network. That could not have happened with AE's delete protection.

One can argue that tighter network control might have prevented it, but it happened. A locked-down whitelist which blocks unauthorized executables, prevents these in any case.

2) Dll injection. These tests were setup to test firewalls, where known instances of trojans getting outbound traffic past a firewall were successful. Both PG and AE don't let the outbound attempt even get to the firewall. (granted, something in the defense broke down in that the trojan got installed in the first place, but it happened)

Since you mention user awareness (certainly very important) I could have included inadvertent user action protection. A family with two children ages 10 and 12 I know have one computer. Each has a separate email account. Dad has strict rules, one of which is only Dad opens email attachments. They love screen savers, and often dl different ones from a reputable site. One day, daughter gets an email from a friend saying, here's a great screen saver. It's attached as a zip file, and she can't resist. After all, it's from a friend, and she knows .scr is a screen saver. Dad comes home and the computer doesn't work. Daughter is honest and cannot tell a lie. Not too much damage, and the computer is cleaned up.

With AE (and I assume PG) this could not have happened. Had the above ocurred a few days ago, it might have been worse:

AE_screensaver

_________________________________

So there are many uses for both of these programs, as I stated in the original post, and to limit the benefits to these few examples does a disservice. Even after evaluating them and deciding for oneself that they aren't needed, it doesn't serve any purpose to denigrate those who find them useful.

But all of this discussion gets away from the point of this thread, which is to dispel the fear that many people have of malware, and to show that it's possible to set up a system that is pretty secure (notwithstanding the need for user education). I use AntiX as just one type of protection that a user can utilize.

regards,

-rich

 

Re: AntiX: is it for you?… dispelling the fear of malware

Hi Dog,

I am in your camp. Trying to figure out what all the different "anti" programs were doing and how they were doing them was becoming ludicrous. Giant AS alone claims to be covering 59 different "checkpoints". Win Patrol has its set, as does Tea Timer, Ad-Watch, SpySweeper, etc., etc., etc.

The fundamental problem is that once a malicious program has opportunity to begin tampering with a system, there are hundres, or maybe even thousands of things it can do - including cloaking itself.

By putting .exe control back into the users hands, ProcessGuard creates a centralized "choke point", which now can be monitored by users. Script defenders, such as WormGuard, Script Sentry, etc. provide similar facilities. I put all of these programs into the "sentry" class since they are guarding the "gates of entry".

I am quite sure that ProcessGuard, WormGuard, RegDefend, and others can all be augmented and refined. But what a great start! Instead of dozens of programs trying to monitor all the little "nooks and crannies" in Windows (how many hiding places there must be??), it is now becoming possible to station just a handful of very powerful applications (e.g. firewall, top-rated AV/AT, .exe guard, script guard, registratry guard) at the perimeter with the goal of stopping the nasties before they have an opportunity to create any mischief. This, to me, sounds like a plausible long-term security strategy.

Rich

 

Re: AntiX: is it for you?… dispelling the fear of malware

PG runs fine under a limited account ... the GUI itself won't load but with the settings for PG I mentioned above, trying to run something that isn't white listed results in "invalid handle", if PG is left unlocked and changing exe unchecked - you'll get the same allow/deny pop ups as you would under an admin account and it can be allowed from there. RD as another example under a limited account, the user can not effect any permanent change to ghost files, the user can allow/deny each pop up if they're set to ask user but can't effect the always allow/deny check box or (I believe) set a APO that will take. I would still like to see a locking mechanism on RD, which would further limit any chance for change in either environment.

I agree with what you hinted at in regards to a file/folder defender - which I'm sure is on the horizon - which will further cripple any chance of malware. RegRun does provide for some of this file protection with the anti-replacement & File protection functions. RegRun by default backups critical system files and the user can add any file they wish, which RegRun copies to another folder, and uses checksums to verify the file is unchanged, if it is ... a simple restore from the RegRun backup folder replaces the file or if the change is legitimate the user can update the file in storage. One doesn't need RegRun to accomplish this, but it does make it so easy because it's fairly automated. The same effect could be achieve with creating a backup folder of sensitive files in conjunction with running an integrity checker, then when a change is found, either replace the file from storage or update the storage and checksums. But again this does come down to user knowledge/awareness ...

Steve

~still half a sleep and ~

 

Re: AntiX: is it for you?… dispelling the fear of malware

Exactly, a misconfiguration of the system is the direct cause. A more direct solution is indicated.

Again, you are making my point. How did the trojan get installed in the first place? If it managed to get installed, it could do a lot more damage than merely trying to pass your firewall.

Given that I mention this too, in my post above, I don't see what your beef with me is.

I don't deny that they have a function, just that they are far from the 'greatest thing since sliced bread' hype that many are saying.

For one they only come into play when you make a mistake. Granted people all make mistakes, but at the level we are talking about, for most people here, this is not a very big factor. After taking into account all the basic precautions, not much is left that is covered by this tool.

For two, it does not protect you from trojans.

For three, it is costly (in terms of time and knowledge required) to use. Some peopel who do have the knowledge do not see the need(for good reaons).

Denigrate is your word. I'm certainly not attacking people who use PG out of knowledge about what it covers and what it does not. If you like I'm targetting the newbish people who treat PG and similar tools as good luck tokens with zero understanding of what they are doing.

AntiX (your term) is a strictly limited measure that has its use, it's not a tool that works against all malware.

 

Re: AntiX: is it for you?… dispelling the fear of malware

Of course, instead of using Giant AS to cover all the "checkpoints", you now use RegDefend with Tony's set to cover the same "checkpoints" (less the couple which refer to files of course, but I'm sure Jason will come up with Filedefend soon). I fail to see the difference

The value of Giant I believe comes from it's scanning engine mainly, though it does have a nice database of areas to check. Monitoring of registry , files etc is one function that is nice to centralise I agree, but according to you that's not really proactive, since by then the malware process must have run already.

Of course. But I don't see how wasting a couple of seconds clicking okay to a process you started yourself a second ago, helps solve this problem.

It's a problem that has no solution, there is no way around the problem of running a program you want to run. Intervene before it starts , and you won't know if it was really harmful, try to let it run a little, and you might be too late.

Personally I think such checks are merely cursory checks, you know a process or script you executed is starting, what does that really tell you? Regdefend which I see in one post that you are degenerating as not really proactive, at least monitors behaviour that provides some info.

I'm not against such "sentries" , and in many cases it's pretty trival to setup programs to guard these areas, some are already in the OS. That's why people recommend you don't run as admin/root after all!

But it's hardly a complete solution, since it involves costs, a reason why most users don't run as non-admin. Using tools like PG, Regdefend you are trying to return to the same policy, a policy where the default is deny rather than allow.

It's more secure certainly, but only if the user running it is clued in. The user of a scanner at least doesn't require much brains, with tools like PG and RD, user awareness is more important than ever, not less.

And if you are so "Aware", I wonder what additional value such tools will bring anyway.

 

Re: AntiX: is it for you?… dispelling the fear of malware

I suppose a band-aid would be nice. But as pointed out before, such measures can be overcome as long as you don't secure the whole file system.

Yes it's called Windows

Basically this is what WFP does for critical system files isn't it?
Of course, there are ways around it.

Nah, I'm going to post the ultimate security setup later, 100% secure , idiot proof.

 

Re: AntiX: is it for you?… dispelling the fear of malware

I was thinking of something sooner than Longhorn ...

Yes, but WFP isn't user defined ... I'm not just referring to system files, but anything can be protected from GHST files to your hosts file and anything else in between, either manually or semi-automated with RegRun.

LOL, I can't wait that's just what everyone's been looking for