Custom-made ThreatFire Rules

If I create write-permission restricting rules (to system directories and registry) in ThreatFire for my internet facing apps., would I need softwares like CMF, AppGuard, Sandboxie to protect me from being victimized by exploitation of software bugs?

A couple more questions -

When should I construct a "create" restriction rule and when should I construct a "write" restriction rule? And,
If I create a "network access" rule, across the system, would it act as an outbound filter?

Thanks

I am a complete novice at all this, so I find it very confusing

 

A user here by the name of Kees1958 wrote a very detailed tutorial on rule creation in Threatfire,just have a hunt around for it.

 

Yep, have a look at https://www.wilderssecurity.com/showthread.php?t=235984 only do not use AppGuard or EdgeGuard Solo, they block TF from protecting the registry.

Regards

 

Interesting. I assume that this is not just for Threatfire, Kees but also for other HIPS/behaviour blockers who monitor the registry.

Therefore you would not now advise running AG/EGS and TF?

 

Thanks. That would certainly help me in setting up my ThreatFire.

Could you answer my questions, as well?

 

1. No not all, Malware Defender is okay, Defensewall is ok, CIS is ok, so can't proove that (only problem with TF)


2. Yes do not run TF in combo with EdGuardSolo/AppGuard, use strip my rights instead or Software Restriction Policy options for business editions of XP (XP Pro and higher, Vista business and higher)

Regards Kees

 

A create restriction rule for All Users, Username programs startup folder, a write restriction to OS systemfiles and Windows32 directory


Yes it acts as a simpel outbound filter (you can also be signalleed of programs starting/executing your web and e-mail browsers, allow explorer.

 

Thanks

 

Thanks.

Two more questions - What does "look like an executable" rule option mean? How does it exactly differ from exclusively specifying executable extensions?
Also, what would a rule - tries to execute a file - *.exe - that looks like an executable - imply?

Lastly - If I restrict access permissions for a process to c:\windows\system32, would the rule apply to the sub-folders of "system32" as well or will there be a need to add each and every folder individually?

 

the whole folder will be protected as it is included and apply the desire rule

 

So, if I create a rule - "...any process, write, c:\windows\system32..." - will the HOSTS file be protected from modification?

 

Earlier, about the protection against exploitations, with what rule-syntax can such threats be averted. I know that ThreatFire by-default detects buffer overflows, but what about the ones which aren't detected? In such scenarios, how can I protect myself from the dropped payloads?

The way I am spouting out those technical terms, it might give a false impression that I am quite knowledgeable in the computer security field, but not. I just have a vague idea of what those terms mean, most of the technical jargon flies right over my head.

 

Look like an executable = all executable filters, like *.exe, *,hta etc

For host file protection there is already a standard custom rule, you only have to select it and apply

 

yes indeed but in threatfire is already included by default,just chech it in the custom rules and you are set to go,host custom rule

 

In it's current version is there some workaround like just simply a WARNING instead of TF making a mistake and carrying off a system file to Quarantine? I could live with that intill v.4.1 with DENY feature.

EASTER

 

Never mind that.

It's looking like TF may be going the way of CyberHawk eventually and this long delay plus all the issues don't exactly encourage confidence in this app. BTW, for giggles i D/L'd off the website today, run it with some rules for awhile, got frustrated again because of it's limitations and to add to my frustration it killed my mouse and keyboard like others reported long before me. I am very leary of that program now and not interested as before if this is the way their going to toy with a once pretty nice security program.

Done

EASTER

 

I notice that it's still in your sig. Is it a love-hate-love kinda relationship?

 

It's off now, thanks for the reminder.

I been hoping agaist hope PCTools would have refined that app by now but seems their mired in something way over their head. Time to pass the Hot Potatoe to someone else. I bet Graphic Equaliser could fashion that baby into something special.

Never mind EMSI, they already have the corner on that specialty form of intercepting and terminating via a very well designed Behavioral Blocker in mamutu.

What a shame, and after Kees put so much effort in OUTSTANDING rules for it, but they seem to not be interested in anything but CANNED RESPONSES & EXCUSES.

 

Easter,

First they are going to overhaul ThreatFire's internal architecture, this will problably be ready by June/July (possibly something with 64 bits version). After that the Deny option will be implemented

Regards Kees

 

@Easter

There is activity going on over there - perhaps somewhat quietly but, nonetheless things are happening behind the scenes. Many of the issues that folks have discussed are being addressed...not all...but many. TF is not dead nor is it dying or abandoned. Give the PCT folks until late summer...I suspect that you'll be rather impressed with where they wind up...

galileo

 

Thanks for clarifying my doubts, jmonge and Kees1958.

 

your welcome

 

I appreciate all the good encouragements but it's going to take some hard proof now to change my viewpoint on that app they could have already fixed by now. The keyboard filter thing was nearly a disaster had i not tested it on FD-ISR. Had to finally do a re-copy/paste after trying several different self fixes. IMO Vista is ruined everything the vendors worked so hard to achieve for years, just look at the empty slots now that used to buzz with activity.

I never considered changing to MAC or LINUX but this trend keeps up i may seriously jump ship like others before me.

 

Try a Linux distro, Sudown is included, as a good firewall, AppArmour (HIPS) is part of Ubuntu distro, There are some free AV's for linux (AVG, Avast, Panda, Bitdefender), You can get Chromium also in Linux (there you have your sandbox), Easter you will go wild.

Only down side is with the low market share, that there is not so many malware for linux around. Some say Anti Virus in Linux is as usefull as anti conception for the dead

 

I use AppGuard and TF along with your rules from a thread here https://www.wilderssecurity.com/showthread.php?t=183020&highlight=threatfire rules
and I'm not seeing this. TF seems to be protecting the registry for me or at least I'm being alerted on some things can't say about all reg rules. What is your test for this so I could try for myself? I'm not doubting you since you are one of the more knowledgeable persons here at Wilders but want to check for me. Thanks