Choosing anti-malware software: the dilemma of alerts

LOL > Wilders> Search > https://www.wilderssecurity.com/search.php?searchid=2765746 , is your friend.

EDIT: added screenshot - See further post below

 

That URL brings up:



EDIT: OK, someone clued me in. I found a large thread on System Safety Monitor, and will check it out, but I see that it is no longer being updated at the moment.

----
rich

 

Wilders search doesn't work with 3 letter search terms. SSM is System Safety Monitor.

 

https://www.wilderssecurity.com/search.php?searchid=2765746

That's strange, the link works for me!

EDIT: added screenshot

 

Sure, but it suits me just fine Besides, after running a HIPS in "learning mode" after a short while on a known clean system, most of the rules are automatically created anyways. Afterwards, the alerts are not as frequent. Still, I realize that even this latter, mitigated alert scenario will not suit the majority.

Getting back to a solution you are seeking. Have you considerd the "sandbox" approach? I'm using Sandboxie on my kid's computer with their browser and media player forced to run in the sandbox. Everything gets deleted when they close the programs. They're pc has never run better (it's old) and no security breeches to worry about or pop-ups to answer. NOD32 ver 2.7 also runs as resident. It can be setup so that only specifically chosen programs are allowed to access the internet. it is even possible to force programs that start in specific folders to run in the sandbox.

I have it installed on mine as well but run it only if I feel I could be visiting dodgy sites. Defensewall is one I haven't used yet but it gets great reviews and the developer, Ilya, is first-rate, just as is Sandboxie's, tzuk. I'd say it's tough to go wrong with either program.

 

Yes, as I discovered!

Are you concerned that it is no longer being developed?

----
rich

 

Sorry for any confusion caused!

 

Not to worry! My first search was Google. Some interesting uses of SSM initials!

A Sandbox will contain/discard any unwanted intrusion via a remote code execution exploit, but I don't consider containment the same as preventing the exploit from running.

I liken that to a person who has a leak in the roof, and rather than fixing the leak he puts a scoop under the leak and pipes the rainwater into a barrel, then empties the barrel after the rain stops.

I want to prevent water from entering, not just being contained.

Somehow the idea that malware could intrude by remote code execution is a repulsive notion. Like unwanted people sneaking into my home, even though booted out later. It's a matter of principle!

----
rich

 

Very valid point Rmus regarding Anti-Executable and i above nearly every single user in this forum and beyond blasted me for staying with XP Pro as old news, but the truth is exactly what you're eluding to, and IMHO Vista is created a huge mess for security vendors as well as force demanded incredible amounts of resources and effort just to make what can be compatible with XP, compatible.

So security apps are still to this very day struggling to meld the two together and it simply will not work for every program, although many have been able to ease their way in, but not without a great mammoth effort to do so, and as i said, extra resources & efforts just when they had XP all but permanantly locked down.

Now i don't blame MS for moving up to another marketing distribution in Vista, but by design or accident, it's caused a great deal of confusion and lost time IMHO.

And in the case of AE, looks like they can't even apply the same equal protections that made AE2 such a solid performer.

Who knows whats in store come Windows 7 when vendors are going to have to go right back to the drawing board again.

EASTER

 

I would have liked to see it still being improved. That said, SSM is/was a mature product. It doesn't require any form of updating to remain effective. The bugs were all fixed. I never had to get support from the vendor for anything except some bugs in the early beta versions. I can't speak for how it works on Vista or if it will work at all on Windows 7. It's also possible that some future patch or update will conflict with it or that it might conflict with some future software and the conflict won't get fixed. As long as there's no conflicts with such things, System Safety Monitor will continue to be a very powerful and reliable tool. I don't see any reason that it would be any less effective at enforcing a default-deny policy. As long as it's compatible with the OS I'm using, SSM will remain at the center of my security setup.

 

Very valid point Rmus regarding Anti-Executable and i above nearly every single user in this forum and beyond blasted me for staying with XP Pro as old news, but the truth is exactly what you're eluding to, and IMHO Vista is created a huge mess for security vendors as well as force demanded incredible amounts of resources and effort just to make what can be compatible with XP, compatible.

So security apps are still to this very day struggling to meld the two together and it simply will not work for every program, although many have been able to ease their way in, but not without a great mammoth effort to do so, and as i said, extra resources & efforts just when they had XP all but permanantly locked down.

Now i don't blame MS for moving up to another marketing distribution in Vista, but by design or accident, it's caused a great deal of confusion and lost time IMHO.

And in the case of AE, looks like they can't even apply the same equal protections that made AE2 such a solid performer.

Who knows whats in store come Windows 7 when vendors are going to have to go right back to the drawing board again. And the 60 thousand dollar question is will it really be any safer or will vendors have to start all over again?

The Default-Deny principle is been a good one for this platform, and customers have become well acquainted with their purchase over time, but can or will it continue in other forms or programs? Or will we br relegated to turning strickly to virtual machines for reasonable protection from our good money going to waste to our ISP while our machines sit idle by some attack which is rendered it disabled?

Bottom line, imaging apps may just up being our only real protection when all is said and done unless Microsoft does something engenious to divert access to file extensions to another source that's solidly protected by some virtual state or sandbox.

The mere number of executable file extensions that any of which could be tapped into for remote execution. Anyone venture a guess just how many there really are at this point?

And whatever happened to the notion not so long ago that MS was going to eliminate the registry?

I'm done and no more worse for wear then i was when i begin this

EASTER

 

Understood Rmus. No one approach will work for everyone or will be considerd adequate by everyone. We all have different needs and different agendas.

 

Virtualization and sandboxing have potential problems of their own. If malicious code does escape from the sandbox or virtual OS, what guarantee is there that the user will know it? Modern malware hides very well. If the system AV doesn't catch it before or during the install process, the OS could end up compromised for a long period of time.

Imaging apps suffer from a similar problem. Restoring from a clean image does give you a clean system IF you know or suspect your system is infected and use it. There's the same problem again. Will the user know their system is compromised?

IMO, the potential difficulty of detecting some of the modern malware makes default-deny the best option we have, short of an OS with a "read only" file system.

 

I'm now remembering a bit about SSM. Another member, Herbalist, always spoke highly of it, and he emphasized Default-Deny.

One solution to my predicament with AE2 is that Microsoft still supplies OEM WinXP discs to vendors and you can still find some vendors who provide OS choices when purchasing a new computer.

Last year I purchased an OEM WinXP disc for eventual replacing of my trusty Win2K system.

Win2K/XP are problematical in that the user must be able to take care of himself/herself without security updates in the future. But it is an option...

----
rich

 

@Rmus

I can probably concocked something like this on my own, but was wondering if you have time, ans since you try to specifically address remote exploit execution, piecing together something similar (if possible) that would also mimic replacing a system file like notepad for safety. I am curious just how far they might try to take this Conflicker malware and if they end up propagating it to burn system files or worse.

Just want to test something like this because this is becoming notoriously more confident to those who started out making it as is and just how far they could take it. Maybe even devising a method to sneak it into an alternate data stream which would really pull the wool over the hat in these disruptive projects of theirs.

If not, i'll see what i can do to get something like this to jump into an ads for maximum hiding potential.

EASTER

 

I have no idea how to do something like that. For that to happen, malware must have already intruded. In other words, after the fact.

In another thread, fcukdat made this point in answer to a question about the threat of process injection:

You can spend a lot of time thinking up tricky things that malware can do once it is allowed to execute.

Or you can watch the exploits in the wild and insure that you are protected from being compromised by intrusion by a malware executable.

As you know, fcukdat as an open challenge to give him an exploit on a web site that can sneak onto his computer. You've analyzed lots of malware -- Why don't you take up that challenge and devise an exploit to replace notepad and see if you can make it work on his system.

I'll make a page for it on my web site!

As far as the conficker worm, that should be a no-threat for home users who have any sense at all. The two attack vectors are:

1) through open ports. Did no one learn a lesson from the Sasser and Blaster worms?

2) through USB. Did no one learn a lesson from the digital frame USB exploits?

Unfortunately, many home users don't keep up with the security scene, and so are unprepared when exploits like this burst on the scene.

----
rich

 

That's the option I'll most likely choose. There's nothing about Vista that makes me want to try it. I doubt that I'll feel any differently regarding Windows 7. Win2K and 98 serve my needs quite well. I won't claim that it will hold true in all cases, but from my own experiences having tight control over the parent-child permissions for the individual processes makes many of the software exploits ineffective. The code may compromise the specific app it targets but if that app can't launch or manipulate a more sensitive part of the OS, the attacker gains nothing.

When support for 2K ends, Microsoft and others will do their best to point out and exaggerate every possible flaw in an attempt to label the OS as insecure. The vast majority of what they "find" will be easily mitigated with presently available software. A few might even be real and require the user to make some changes. Even with an OS as old as 98FE, all of the "critical vulnerabilities" can be dealt with using available tools.

That brings back memories of the malware that replaced the Winsock files with its own. Removing the malware would destroy its ability to connect to the net if you didn't have the repair tool handy. I don't see this being a problem with executables as most HIPS check the hash of executables before allowing them to run. With DLLs and other system/application components, it could be real problem if an AV doesn't recognize the replaced file as malicious.

 

Hi Rmus, great discussion!

You do realize that with Sandboxie you can set certain apps as the only apps that can run in the sandbox. I have firefox.exe as one of the apps that are permitted to run in my sandbox. When you posted about the 4th of July threat, I tried renaming the fireworks.exe to firefox.exe and it wouldn't run in my sandbox when I right-clicked it to run it sandboxed. Not exactly a remote code exploit but just an experiment on my part.

I'm in the same boat as you. I used to take care of my sisters machine and kept it updated with Avast home and Windows Defender installed. So far it's been malware free for over 1 year. Now she has bought a new Vista laptop, my mother is now online on my old XP home box and I bought my niece a wireless card for her old XP home laptop. That's 4 machines besides mine to look after. So far, I've set my sisters Vista account to limited and converted my nieces XP laptop to a limited account. Both seem to be functioning ok so far. If I can get the other 2 machines operating with limited accounts I'll be doing much better. 2 of the 4 have Sandboxie and Avast Home with Web, Network and normal resident shields running as an experiment.

They and I still have to deal with pop-ups and they are clueless. I'm not much better myself as in all honesty I use my HIPS as a "radar detector" and when I get a pop-up that I don't recognize I deny it. If I'm surfing with a properly configured Sandboxie, I shouldn't get any pop-ups. But I do and it's usually due to recent Avira program updates like the guard that wants to run. I know to allow it because of the path but no way in heck would an average user be able to make an informed decision.

I think LUA's, sandboxing, virtualization, anti-executables and SRP (which I know nothing about) may be our only hope for a simple solution. Otherwise i might tend to agree with your statement of going with Linux which I've only briefly experimented with. I also think that education of computers and the internet is highly important and way overdue.

 

Don't LUA, AE and SRP-like come from Linux world?

 

The people I referred to in my original post have solved their problem for the immediate future, anyway, and have decided to stay with WinXP so that they can continue to use AE2. One who really wants a new computer found a vendor where you can choose your OS. The other decided to just do some upgrading: replace an old HD, power supply, fans, DVD drive.

@innerpeace - thanks for the added information about Sanboxie. I'm passing this on to someone else who is interested.

Sorry, I missed this question earlier, Easter. Yes, the hmmapi.dll connects as you show. I chose this so that you can imagine what might happen if this were the conficker DLL and permitted to run.

Remote Code Execution exploits as Drive-by downloads get more attention, however, because they appear to be so sensational, therefore, often invoke fear.

In many cases, I've found that people don't really know what a drive-by exploit does, therefore, don't know how to specifically protect. They just install a group of products that are supposed to protect the computer. But if you do some research as the exploits are discovered, interesting patterns emerge that reveal what specifically protects against them. I keep a list, and here those seen in the wild in the past year or so. My list includes those that pertain to me, so I omit exploits for Servers, Quicktime, etc. Note also that these are exploits, and not vulnerabilities. Few vulnerabilities beome exploits in the wild. Think about that.

2 exploit the IE browser
1 attacks through open ports (conficker.a)
3 exploit the Adobe Reader (PDF)
1 exploits Adobe Flash (SWF)
2 exploit MSWord
1 exploits USB
______________________________________________________​

One obvious pattern is that no browser other than IE has an exploit targeted against it.

The second pattern is that the payload is a binary executable file: normally a trojan dropper. This means that all attack vectors - including PDF, SWF, MSWord - are covered by having in place something to block the running of unauthorized executable files. (We'll omit here discussion about users being careful in deciding what files they open that arrive by email, or appear on a web site, but just consider the effect of such action)

How did I determine the payload? I look for analyses. The Microsoft Bulletins normally do not describe the payload. They use a general statement referring to "remote code execution." But if you watch for analyses by AV companies and independent organizations like sans.org and shadowserver.org, you get the information. A good place to start is right here at Wilders. ronjor posts lots links to articles about current exploits. Looking at the number of views, unfortunately these threads aren't as popular as one on "Hips and ADS" for example.

Looking at a current MS09-002 analysis:

http://isc.sans.org/diary.html?storyid=5884

We learn that

• the exploit delivers an executable in a Word document
  
  
• it also may appear in a drive-by exploit targeting IE7 (it has since that writing)

And a SWF analysis:
http://isc.sans.org/diary.html?storyid=4468

We learn that the payload is an executable file.

You don't have to understand the complex code analysis (I certainly don't!) but I read until I see what the exploit payload is.

It becomes evident that with proper protection in place, why I consider these exploits to be no-threats. I mentioned in another thread that I thought the single most important thing you can do to secure a PC is to understand how malware gets onto the PC. Without this, how can you decide what security solutions to employ?

While patching is obvious, not always are patches quickly released. The current Adobe Acrobat Reader vulnerability will not be patched for about two more weeks.

Understanding how exploits work lets you put into perspective articles with headlines such as, "100,000 websites hacked with SQL injection."
If you look at an analysis, you get the real picture:

New SQL Injection Attacks and New Malware
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507

We learn that

• javascript is required
  
  
• IE is required
  
  
• the payload is a binary executable file

Now I know what preventative solutions will protect.

Here are some old exploits where I've kept a tally of their occurrences as I found them mentioned in write ups. Even though some have been patched for years, they still appear in malware packs and continue to be effective, for obvious reasons:

​

Omitted here are continuing probes to the trojan ports looking for a way in. These include the Sasser and Blaster worms.
Firewall logs show hundreds daily.

__________________________________________________________________________________________________________​

When you think about it, remote code execution exploits are really the easiest to prevent. That leaves the other way by which malware can get on to your computer to deal with: when you consent to install something.

But that is another topic,

----
rich

 

One Q pls.

I guess SRP is based upon file extensions. How this exexutable was blocked as it was a spoofed dll?
Was .bkx file extension was s[ecifically added to SRP?

Thanks

 

Hi Aigle,

No, it has a list of executables extensions to be watched (the executables types, not the extensions). But it doesn't block based upon extension.

So a spoofed dll will be blocked.

The only way to get around SRP is to make a trusted process launch a malicious code inside of its own process (exemple of an excel sheet (trusted) executing a malicious code using VBA from within Excel without calling external ressources), or alternatively to use a trusted script interpreter "execute" a malicious script.
http://hype-free.blogspot.com/2008/10/limitations-of-software-restriction.html

 

Thanks Lucy.

 

Your welcome. More information on the Start/Run Access and Internet Access settings can be found here. http://www.sandboxie.com/index.php?RestrictionsSettings

 

WE can separate the two principal methods by which malware installs: Conflicker included of course.

1) From remote code execution (code embedded in web sites) and either deliberartely or inadvertantly clicking on an executable, either in a .zip/.rar file, email attachment, or a website link.

2) Installing a new program before thorughly researching it's origins, track record, etc. - you can in this way disable your security and trust the installation.

HIPS or another simple execution protection is one of the real safeguards for 1). It's pretty much accepted & adopted practice by many in the security community that an AV alone is just not reliable enough for this.

With the onset of "Storm" was yet another hint that current AV software are no longer an adequate means to protect yourself from current and relevant threats. Subscription based business models direct mainstream consumer anti-virus systems into a dead end of signature updates, many of which haven't worked to expectations. It's not always their fault because theres plenty of blame to go around.


For 2) There is nothing really to comment on, because everyone has her/his own ways of deciding what to trust, what to use, and how to check for abnormalities. If something does work effectively for you, who can argue otherwise?

Not separating these two methods just confuses the discussion as to whether or not HIPS or a BEHAVIORAL BLOCKER or both can be of any use or not for the average user. Most not of course for obvious reasons. And so the endless infections and methods that deliver them will continue to flow down the pipeline and latch onto their targetted audience untill Microsoft IMO gets serious and makes some radical changes in how they do business when it comes to building Operating Systems. Windows 7 is already getting attention from malware authors in their next wave to knock out the chair again from under their programming feats.

Security Vendors will always be in the best possible position to plug the dikes in MS engineering limitations either indefinitely or untill a radical change is made to how they build their systems.