Best practices to avoid malware infections on the web without blocking everything

Good one, MrBrian!

I remember a few years ago our old friend m00nbl00d helping me set up Firefox with batch files, except they use "chml" tool instead of "icacls" to change the integrity levels

To apply low integrity level to Firefox and Adobe Flash:

Code:

@echo off

C:\Windows\System32\chml "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -i:l
Pause
c:\windows\system32\chml "c:\users\username\appdata\local\mozilla" -i:l
Pause
c:\windows\system32\chml "c:\users\username\appdata\local\Temp" -i:l
Pause
c:\windows\system32\chml "c:\users\username\appdata\roaming\mozilla" -i:l
Pause
c:\windows\system32\chml "C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\w27tca9y.default-1344366520934" -i:l -nw -nx
Pause
c:\windows\system32\chml "C:\Users\username\AppData\Roaming\Adobe\Flash Player" -i:l -nw -nx
Pause
c:\windows\system32\chml "C:\Users\username\AppData\Roaming\Macromedia\Flash Player" -i:l -nw -nx
Pause
c:\windows\system32\chml "C:\Windows\System32\Macromed\Flash" -i:l -nw -nx
Pause

...then to remove low integrity levels if needed:

Code:

@echo off

C:\Windows\System32\chml "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -rl
Pause
c:\windows\system32\chml "c:\users\username\appdata\local\mozilla" -rl
Pause
c:\windows\system32\chml "c:\users\username\appdata\local\Temp" -rl
Pause
c:\windows\system32\chml "c:\users\username\appdata\roaming\mozilla" -rl
Pause
c:\windows\system32\chml "C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\w27tca9y.default-1344366520934" -rl
Pause
c:\windows\system32\chml "C:\Users\username\AppData\Roaming\Adobe\Flash Player" -rl
Pause
c:\windows\system32\chml "C:\Users\username\AppData\Roaming\Macromedia\Flash Player" -rl
Pause
c:\windows\system32\chml "C:\Windows\System32\Macromed\Flash" -rl
Pause

Of course "username" would be substituted with one's account name, and "w27tca9y.default-1344366520934" would be substituted with one's user space Firefox Profiles directory.

I have to say I have no idea if they would work now on "today's" Firefox.

 

I am reluctant to say much about what to do. Not installing Java is a really good thing. It is seldom needed for browsing these days.

You might still be using some programs in your computer that use Java. I for example have BlueJ IDE for Java programming. I'm not liking Java and much prefer something like Python as a programming language, but yes it works without any system wide install. And also Matlab, I think and not sure, uses Java. They are programs and to have them working you don't need any control panel Java install.
If they want to connect to internet a firewall like TinyWall can prevent that. And them are not the primary attack targets.

Javascript you can hardly disable without seriously crippling your surfing. There are good blockers like NoScript (Firefox) And HTTP Switchboard (Chrome) you can use without disabling Javascript totally.

Then of course Sandboxie and AppGuard are great programs that make me feel safer in the wild web.

 

I just watched the Braves (my team) lose against the Reds using a streaming site. Because I block JS with NoScript, whenever I use this particular site, the website loads scripts from only two sites. If I was not using Firefox with NoScript and watched the game on a regular Firefox, the page would load scripts from 13 sites. The 11 sites on the left are the ones that NoScript is blocking, I also have added those sites to my blacklist, some of those sites have names that sound pretty nasty.

There are people that say NoScript breaks the internet, I don't see that, I am still able to watch the game (purpose for using that site), doing it on a on a clean webpage that loads faster, doesn't use many resources and perhaps I am even safer than if I was only using SBIE.

Bo

 

Sad thing is there are some websites which heavily rely on javascript, up to the extent where it will just give you a blank white page if you globally disable javascript. And of course, there are also websites which try to load inflated javascript requests, such as PC Mag.

 

The thing with NoScript is you can block a lot on certain sites and everything works fine, but go to the next site and it's broken. I think that's really the most difficult part of learning how to use it. Right when you think you've got it figured out something new comes along and throws you a curve.

I set it to allow the top-level domain by default. Then I've got some whitelisted domains which I also allow 3rd party scripts on in Advanced settings, these are sites I really trust and also need to function at 100%. Then I have a few totally untrusted domains I don't allow at all.

I also use AdBlock Plus, but with only two filter subscriptions, EasyPrivacy and Malware Domains. With these you can get some protection while not interfering with advertisements so much.

 

as I said before the vast majority of sites function enough to read their content without javascript.

some do require javascript but is a small %. if it helps others I can share my whitelist, although I cannot garuantuee I have not allowed javascript when its not needed.

regarding java firefox now has clicktoplay and IE has had the ability for years now where if a website wants to run java it requires manual approval, that is as good as having it not installed as long as you use common sense. I require java on my system as my job includes accessing remote server's which almost exclusively use java, java is heavily used in the corp world.

 

yep, do you mind sharing your untrusted list any chance?

 

Chrcol, I think its better if you make one yourself based on the sites that you visit. For example, if I go to a site like the one in the picture, after figuring out the ones that I need to allow, I untrust the rest. But I don't blacklist sites like tweeter or Facebook. Thats how I have been doing it. Sometimes I use a site where I have to allow something thats blacklisted, usually I know what they are. Look in your conversations.

Bo

 

Just had a look at their website and while they make a pretty good case for protection, apart from patented technology I could not find any explanation on what the program actually does or how it works? Can you shed some more light on this as an experienced user?

 

Have been using NoScript for years. I think it was around 2006 that I got rid of all AV's and similar real-time security programs. I've used LnS off and on to monitor what tries to call out. Other than that, NoScript has been my 1st line of defense when it comes to security. In all those years, I can count on less than one hand the number of malware threats I've encountered that were unintentional.

EDIT: Just searched my posts. Including this one, the most recent half-dozen posts of mine all basically say the same as this one. I'm sure if my setup hadn't continued to work so well for 8 years, I would have posted more frequently in a security forum.

 

thanks yeah that's a good idea.