Custom-made ThreatFire Rules

Discussion in 'other anti-malware software' started by metalforlife, Apr 11, 2009.

Thread Status:
Not open for further replies.
  1. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    If I create write-permission restricting rules (to system directories and registry) in ThreatFire for my internet facing apps., would I need softwares like CMF, AppGuard, Sandboxie to protect me from being victimized by exploitation of software bugs?

    A couple more questions -

    When should I construct a "create" restriction rule and when should I construct a "write" restriction rule? And,
    If I create a "network access" rule, across the system, would it act as an outbound filter?

    Thanks

    I am a complete novice at all this, so I find it very confusing
     
    Last edited: Apr 11, 2009
  2. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    A user here by the name of Kees1958 wrote a very detailed tutorial on rule creation in Threatfire,just have a hunt around for it.;)
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  4. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Interesting. I assume that this is not just for Threatfire, Kees but also for other HIPS/behaviour blockers who monitor the registry.

    Therefore you would not now advise running AG/EGS and TF?
     
  5. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Thanks. That would certainly help me in setting up my ThreatFire.

    Could you answer my questions, as well?

     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    1. No not all, Malware Defender is okay, Defensewall is ok, CIS is ok, so can't proove that (only problem with TF)


    2. Yes do not run TF in combo with EdGuardSolo/AppGuard, use strip my rights instead or Software Restriction Policy options for business editions of XP (XP Pro and higher, Vista business and higher)

    Regards Kees
     
    Last edited: Apr 12, 2009
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    A create restriction rule for All Users, Username programs startup folder, a write restriction to OS systemfiles and Windows32 directory


    Yes it acts as a simpel outbound filter (you can also be signalleed of programs starting/executing your web and e-mail browsers, allow explorer.
     
  8. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
  9. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Thanks.

    Two more questions - What does "look like an executable" rule option mean? How does it exactly differ from exclusively specifying executable extensions?
    Also, what would a rule - tries to execute a file - *.exe - that looks like an executable - imply?

    Lastly - If I restrict access permissions for a process to c:\windows\system32, would the rule apply to the sub-folders of "system32" as well or will there be a need to add each and every folder individually?
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    the whole folder will be protected as it is included and apply the desire rule:)
     
  11. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    So, if I create a rule - "...any process, write, c:\windows\system32..." - will the HOSTS file be protected from modification?
     
  12. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Earlier, about the protection against exploitations, with what rule-syntax can such threats be averted. I know that ThreatFire by-default detects buffer overflows, but what about the ones which aren't detected? In such scenarios, how can I protect myself from the dropped payloads?

    The way I am spouting out those technical terms, it might give a false impression that I am quite knowledgeable in the computer security field, but not.:shifty: I just have a vague idea of what those terms mean, most of the technical jargon flies right over my head.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Look like an executable = all executable filters, like *.exe, *,hta etc

    For host file protection there is already a standard custom rule, you only have to select it and apply
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yes indeed but in threatfire is already included by default,just chech it in the custom rules and you are set to go,host custom rule;)
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    In it's current version is there some workaround like just simply a WARNING instead of TF making a mistake and carrying off a system file to Quarantine? I could live with that intill v.4.1 with DENY feature.

    EASTER
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Never mind that.

    It's looking like TF may be going the way of CyberHawk eventually and this long delay plus all the issues don't exactly encourage confidence in this app. BTW, for giggles i D/L'd off the website today, run it with some rules for awhile, got frustrated again because of it's limitations and to add to my frustration it killed my mouse and keyboard like others reported long before me. I am very leary of that program now and not interested as before if this is the way their going to toy with a once pretty nice security program.

    Done

    EASTER
     
  17. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    I notice that it's still in your sig. Is it a love-hate-love kinda relationship?
     
    Last edited: Apr 13, 2009
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    It's off now, thanks for the reminder.

    I been hoping agaist hope PCTools would have refined that app by now but seems their mired in something way over their head. Time to pass the Hot Potatoe to someone else. I bet Graphic Equaliser could fashion that baby into something special.

    Never mind EMSI, they already have the corner on that specialty form of intercepting and terminating via a very well designed Behavioral Blocker in mamutu.

    What a shame, and after Kees put so much effort in OUTSTANDING rules for it, but they seem to not be interested in anything but CANNED RESPONSES & EXCUSES. :thumbd:
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Easter,

    First they are going to overhaul ThreatFire's internal architecture, this will problably be ready by June/July (possibly something with 64 bits version). After that the Deny option will be implemented

    Regards Kees
     
  20. galileo

    galileo Registered Member

    Joined:
    Dec 10, 2005
    Posts:
    65
    @Easter

    There is activity going on over there - perhaps somewhat quietly but, nonetheless things are happening behind the scenes. Many of the issues that folks have discussed are being addressed...not all...but many. TF is not dead nor is it dying or abandoned. Give the PCT folks until late summer...I suspect that you'll be rather impressed with where they wind up...:eek:

    galileo
     
  21. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Thanks for clarifying my doubts, jmonge and Kees1958.
     
  22. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    your welcome
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I appreciate all the good encouragements but it's going to take some hard proof now to change my viewpoint on that app they could have already fixed by now. The keyboard filter thing was nearly a disaster had i not tested it on FD-ISR. Had to finally do a re-copy/paste after trying several different self fixes. IMO Vista is ruined everything the vendors worked so hard to achieve for years, just look at the empty slots now that used to buzz with activity.

    I never considered changing to MAC or LINUX but this trend keeps up i may seriously jump ship like others before me.
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Try a Linux distro, Sudown is included, as a good firewall, AppArmour (HIPS) is part of Ubuntu distro, There are some free AV's for linux (AVG, Avast, Panda, Bitdefender), You can get Chromium also in Linux (there you have your sandbox), Easter you will go wild.

    Only down side is with the low market share, that there is not so many malware for linux around. Some say Anti Virus in Linux is as usefull as anti conception for the dead :cool:
     
  25. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I use AppGuard and TF along with your rules from a thread here https://www.wilderssecurity.com/showthread.php?t=183020&highlight=threatfire rules
    and I'm not seeing this. TF seems to be protecting the registry for me or at least I'm being alerted on some things can't say about all reg rules. What is your test for this so I could try for myself? I'm not doubting you since you are one of the more knowledgeable persons here at Wilders but want to check for me. Thanks
     
Thread Status:
Not open for further replies.