Best protection against zero day exploits

I have a Linux PC so I can switch to Linux for relatively safer web surfing when needed. I use Windows most of the time but I use Linux from time to time too.

 

After reading this particular line i was about to ask what if any new benefits were you expecting or have resulted from this change of strategy to EQSecure, but in following further you answered with this.....................

I too was attracted somewhat to EQSecure but instead of replacing have actually combined it with SSM (as always ). It's seems so much more robust and offers a degree of info suitable for most concerns, with but one issue i wait to be addressed, and that is exhibits a tendency for some programs it blocks to leave them running processes. It would be preferred that it also Terminate those same processes like CyberHawk & others do.

Power Shadow here. Also VMware if i don't mind taxing the central processing unit or running up resources. The 'BEST!" way in my opinion would be "BOTH" a good strong HIPS while also virtualized/sandboxed or otherwise ghosted so to speak.

I happen to be one of those who although have OPERA on stand-by (collecting only dust), have never really encountered but really a scant few sneak-ins courtesy IE browser and none did any real damage to either 98 or XP.
On 98SE i always expected and prepared a copy of wmplayer.exe because it seemed always to be especially susceptible to drive-by patching on-the-fly from the meagerest of web sites who used sponsorship rotational ads laced with that stupid exploit. More of an annoyance than problem.
On the XP Pro side, again IE was the tunnel of entry for a proverbial dropper file now & then, it slides into C:\ folder mostly, then initiates an "outgoing connection attempt" most easily picked up by firewalls.

I now research malware and allow it to attach, infest, or otherwise make changes and wreak havoc on a regular basis, in order to trace their behavior and how well security applications & HIPS can ward off or not various attempts at realignment of system settings etc. Fun stuff sometimes.

 

I am probably the lightweight of the group here. My thoughts are that either HIPS or a virtualization solution are equally effective and the best means to stop zero day threats.

The problem though is that the end user is usally the culprit, not your software. For example, you download a new game. Your HIPS alerts you. You allow the alert because you are installing a new game and think that this alert is for the game you want to play...now you are infected.

No solution is fool proof.

 

Besafe,

That is charm of seamless sanboxes (no file virtualisation, only righs management) like DefenseWall and GeSWall pro. DefenseWall asks no question (is absolutely quit). DW seperates the world of trusted and untrusted. It remembers whether (down loaded) files are untrusted. Untrsted sources are not allowed to change trusted sources.

GeSWall Pro only ask you how you want the ap to be sandboxed (it has 4 levels of snadboxing). After that it rembers you answer and works in more or less the same way as DW.

regards

K

 

I can try anything in my frozen snapshot : games, screensavers, software, ... whatever.
I only have to reboot to get rid of it, not only the game, ... but also the malware. I had at least the fun to SEE the software and without getting in trouble. A user without such tools is infected and hopefully one of its scanners will remove it, but that's not a guarantee.
So that is a little closer to foolproof. PowerShadow does exactly the same thing.

 

A very bold claim. It will be interesting to see if there will be ways to bypass this (not counting scripts) once it goes mainstream.

That does seem to be the crux of the whole HIPS protects against zero day boast. That no matter what, eventually the code will try to download and run some foreign exe that will be caught.


My admittedly limited understanding of many of the "Zero day buffer overflow exploits" is they don't usually use exes, so your executable protection is irrelevant at the start, but they eventually try to download and run some exe and it is at this stage they are blocked.

Still, some guys here have argued this isn't necessary, and they can ruin your whole system without being stopped by execution protection since the code can run in the context of an existing exe or something...

 

Adblocking programs help as well.

 

On a forum no longer in existence, the author of the program to bypass Deep Freeze (does not work on current versions of DF) speculated what it would take to have an executable get by Anti-Executable.

The fact that AE checks so many different aspects of an executable makes the task quite daunting. In addition, it's not clear that successfully bypassing one program (such as AE) would work with another (PG, SSM, etc)

This was the focus of a thread at DSLR in which it was argued that detecting the carrier (.ani in this case) required the code being put into the data base of the AV, where BOClean (in the example in the thread) stopped the payload -- the executable-- (which HIPS does also). This was also the case in last year's .wmf exploit, where AV didn't detect the .wmf file until the second day, but PG and others blocked the payload of that file from day-Zero.

This is certainly a valid point, which the recent PoC tests have demonstrated. But I asked, why would a malware writer today want to ruin someone's system? The money to be made is to have the system functioning to carry out commands.

None the less, if someone notices her/his system doing strange things (as the .ani PoC demonstrated) who here couldn't just reboot-to restore, or roll back, or re-image, or whatever?


-rich

 

(?)

Of course. I'd run a couple of forensic/integrity tools (HJT, RkU, RkR, FileChecker, Sentinel) and compare the output with clean logs. Then, re-image if necessary.

 

I read in PC magazines that some zero day exploits come from Ads on sites. If you have an adblocking program like adblock or another kind they won't appear keeping you safe.

 

An interesting situation occurred with the .ani PoC, as chronicled on the GRC Security Forum.

The PoC downloaded the test.ani file, and it could not be deleted from within Windows. Most did not know how to use DOS commands, so some DOS experts posted different ways of deleting the file, and it was evident that those rushing around frantically trying to delete it did not have a quick way to restore/roll back to a previous good state.

-rich

 

Rmus,
Do you have the link to that thread handy?

cheater87,
I got your point.

 

Adblocking can help protect you; but, keep in mind what the developer of Adblock Plus said in another thread recently:

 

The thread begins here:

Animated Cursor 0-Day Vulnerability
http://12078.net/grcnews/article.php?id=117511&group=grc.security

The posts about deleting the test.ini begin here:

Deleting PoC files from the Desktop )was: Animated Cursor 0-Day Vulnerability)
http://12078.net/grcnews/article.php?id=117551&group=grc.security#117551

-rich

 

Thanks

 

Perhaps I misunderstand it's purpose but doesn't BOClean effectively deal with Zero Day Exploits?

 

See discussion here:

http://www.dslreports.com/forum/remark,18111842

Notice the distinction he makes between detecting the carrier (means of delivery) and blocking the payload.

-rich

 

Very mistaken BOC does not deal with exploits and will only deal with payloads that are in their target definitions(as with all AV,AT and ASW).

 

Ok Guys, I get the point, exploits are simply the means of delivery; what BOClean blocks is the 'warhead' as soon as it attempts to execute.

 

and that is only if it *knows* the warhead....In otherwards malware code that is in their definitions database

At that point it becomes the same as any core signature based defending software,for example if it dose'nt know the malware when the code is loaded into memory then it is bypassed and the 'puter is potentially compromised/infected unless something else catch's&stops the malicious code on that machine.

HTH

 

You are the AE guy, but by AE checking many different aspects, I presume you are talking about the 80 or so exe types it recognizes? I was envisioning some other way around it then finding an exe type that is not recognised.

The question is this, can they do more other than merely trashing your system? It perhaps depends on the software that is being compromised..I used to be doubtful, but .........

That's a red herring, there was many forms of damage (e.g stolen information) that a roll back etc cannot cure.

Besides the whole "but i could rollback...." is a silly answer, because you could say that no matter what happened... But if rollbacking was a real and perfect solution, why are people still using other security measures and desperate to prevent intrusion?


Besides if we were strictly relying only on AE, how would you notice if the system is doing strange things?

 

I don't doubt the possibility. Any guesses?

I've become a cynic! I need to see in the wild verified exploits. Not a PoC that launches calc.exe. Even then, I would evaluate the likelihood that I would encounter such a thing and probably conclude it wouldn't happen.

It's pretty much accepted that the majority of exploits are initiated by the "click" on the attachment.

You will have to give an example step-by-step.

Well, all I normally run mostly now is a firewall and Deep Freeze.

I use AE for testing mainly. I ran it continuously for several months when I first found out about it, looking for a default-deny solution for families using one computer, where the parents controlled everything with young kids.

Running AE I've never had an alert in normal usage. Heck, before Win2K I never even used a firewall. If you use your brain, you don't need much else.

I think I was referring to someone who didn't have protection and somehow got infected in a drive-by and noticed something strange - say, the browser freezes.

 

Hi all,

I think the best protection would be a seamless sandbox (GeSWall or DefenseWall) combined with a smart (using white and blacklist) anti-executable or behavior blocker.

So I my Ideal security setup would be:
A hardware firewall

and the combination of
A. User friendly with less restrictive = behavior blocker (plus AV)
- seamless sandbox GeSWall Pro
- smart behavior blocker Primary Response Safe Connect with Norton AV (also very good heuristics, 2nd place on heuristics)

B. User friendly and strongest protection = anti executable
- seamless sandbox DefenseWall
- Online Armour (also FW) with NOD32 (best heuristics)


And offcourse decent backup/recovery software with an external harddisk (switching it off between backup is the best protection - disconnected)

Because I do not wanted to spend that money I settled for a hardware FW +
a) GeSWall Pro and EQSecure free, Antivir free on wife's PC
b) DefenseWall and DSA free, Antivir free on son's PC

In the current release GeSWall Pro has more default untrusted applications, but lacks the option (will be available in 2.6) to run untrusted downloads as trusted. DefenseWall is absolutely quite, but has an option to run untrusted downloads as trusted and has a roll back option for power users.

Regards K

 

Hi all,

I use nearly your B setup with GW 2.6 instead DW and i think too that's a good way to keep a closed door to malicious attacks.
Added another app using blacklist : BOClean and an immediate restoration software : RollbackRx

MaB

 

Hi Mab69,

I think GeSWall and DefenseWall have more or less simular protection strength. Only because B-setup uses an anti executable (assuming a B-type user has the knowledge to determine what is good and bad), this type of user might prefer the rollback functionality.

Initially we had GeSWall and DefenseWall swapped at our home PC's, but my son like's to try out software. Strange enough GW is simpler to use, but also offers some more advanced control (the file and registry track plus rollback/erase option) he asked for DW.

So I rate your setup as up

Anti Executable is also a great whitelist ap, just the firewall of AO makes it a better deal (unless you use first defense). In the classical HIPS arena, SSM-Pro is still the standard with Pro Security a great competitor. I am also keeping an eye to Blink (great deal with Norman Sandbox/AV), NeoavaGuard, CoreForce and Comodo (there development power will make their suite one of the best, no doubt).

Regards K