Data access level protection

Hi all


I am wondering why not more people use or want a protection on data level, as offered in R-guard, DriveSentry, CoreForce and SensiveGuard. I am seeing good movements (f.i. ProSecurity) of HIPS offering this strong level of protection.

For instance in my set up SensiveGuard protects (as additional layer of protection on both HIPS and FireWall) against the following

Any programs with internet connection
Rule: user initiated - read allow, write - deny, non-user initiated read - deny and write - deny of files with extentions
*.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys, *.ini,*.hta, *.drv

Any Program
Rule user initiated - read allow, write allow, non-user initiated read - deny, wite - deny of files with extentions like
*.doc, *.xls, *.ppt, *. jpg, * mpg, *.mp3, *.wav, *.avi, *.txt

This nice thing is when a malware is able to break through, you protect your files (executables like files from modifying and datafiles from reading/writing). Only a few whitelisted aps are allowed to modify (e.g. windows and security aps update).

Most people are nowadays behind a harware firewall, with a hardware firewall even Stem says that few of these type of PC users need a full featured software firewall when using a HIPS like SSM or ProSecurity.

So why are people so focussed on software firewalls and less on data walls when they have a HIP like SSM or Prosecurity.

Regards K

 

I do not see the need for "data access level protection" if I am sandboxing vectors of infection and I have a execution interceptor.

 

hi kees,how does you setup sensive guard against bufferzone test.i trying to figure out .

 

Depends on what kind of control you want. Maybe you want to control programs permitions, and with that, other users.

 

Have a look at this thread https://www.wilderssecurity.com/showthread.php?t=161749

It is important that you delete the default rules of the file security policy, see the tread (picture of post #10).

Next you add the following (in the file security):

1. Any program - user initiated read + modify allow, not initiated by user read allow, modify deny, go to the directories and click "add"

Directory C:\ enter file type *.ini
Directory C:\Windows enter file types *.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys, *.ax,*.hta, *.drv
Directory C:\Windows\System32\drivers\etc enter * (all files)

2. Any program with internet connection (same for mail/P2P ap)
user initiated read = allow, modify = deny, non user initiated (same allow/deny)

directory is * (meaning all data), file types *.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys, *.ax,*.hta, *.drv

3. Any program
user initiated read = allow, modify = allow, non user initiated is read + modify set to deny

directory is * (or your data drive e.g. D:\)


Because the "user initaited" allow does not protect you in 'shoot in the foot' (you allow the program to start yourself) tests, the network firewall will cover for this when it is trying to break out.


By the way, do you know a way to set EQsecurity to allow with tighter rules. When I change the rules from allow to block in the protection (ecexution plus driver loading is allowed, rest is all blocked), the allowed programs get allow, allow and the rest ask + allow. So in one way or another the changed ruleset of protection is not inherited by newly allowed processes/excutables.

Thx

 

In traditonal security setups, both the functionality as the accessible data is limited per user or role. In this context it is strange that nice aps like R-guard and firewalls with this capability (CoreForce and SensiveGuard) are not given much attention.

Regards K

 

Yes this is something that I really need, I just hope that it will be nicely implemented in SSM Pro, it must not be too intrusive of course. For example, currently you do have this feature in Neoava Guard, but IMO it´s not really usable. At least, I haven´t found a way to configure it correctly without getting too many alerts.

 

NeoavaGuard and SensiveGuard run fine along side. When NeoavaGuard Beta 3 is out I will try the following NeoavaGuard with behavior filters only, Regdefens liteware with Toni Kleins set and SensiveGuard.

 

FD seems much more important than RD or AD to me. In fact, if files and programmes are protected effectively, it is no need to use other HIPS apps.
That is why I always use "SafeSystem 2006" and "ParadorFileProtection".

 

Thx,

I have looked these programs up. Very nice, a pitty the Parodor screen examples are so small. Beciase SensiveGuard is not developed anymore I am looking for a replacement when we should migrate to Vista 64bits. Parador and R-guard are the ones I will problably try.

Regards K

 

Kees1958, very informative discussion on these indeed. Thanks. As i really have no critical need (at least as i see KIS6/Kerio covering), could SensiveGuard still prove useful in watching over system or other folders/files with write.read.delete preventions? Alerts? That much of it would be of some interest in this present setup of mine.

A look over of ParadorFileProtection also shows some promise but not sure if i want to commit to a purchase of it when some free alternative might suit as well. Will have to study over that one.

 

SensiveGuard is both a firewall and datawall. Best thing of SensiveGuard is that it recognises user initiated actions and non-user initiated. Also you can exceptions for programs and processes and set general limitations for any program, any program with Internet connection and specific programs like P2P (e.g. LimeWire), Mail and your Internet browser.

In stead of re-active response (like tripwire), you have got pro-active response. I know you prefere Regdefens over MJRegistrywatcher for this (your qoute "kernel is pro-active, polling is reactive"). So a program like this would suite you.

See the link of my SensiveGuard review in post #5. By the way do you know a good freeby to check the handle's of the SDT?

Regards Kees

 

Good question. I know i do but will take some time to sort thru some folders to get to it, when i do i'll post or PM it for you.

Thanks

 

thanks kee, eh i did not install EQSECURITY, i need some more times to play with sensiveguard. trying to test bufferzone test.

 

I'm sure there is a setting to completely disable the SensiveGuard firewall (untill i can assure compatibility) but make use of the data level protection if i read you right. Then doesn't this app take on the appearance of actually performing as a behavioral blocker/HIPS with files? Processes too?

Thanks for the informative details. I like nothing more than to push one of my safety apps aside long enough to test this method for extra protection.

EASTER

 

Forget it! The thing couldn't even enter the GUI after boot up, i gave it 3 tries then had to settle for a System Restore.

SensiveGuard is either very incompatible with my present config or it needs serious attention.

That's all folks

 

i tried denied reading and modifying in my policy to test bufferzone trojandemon test,but it still able to aceww and read my document and setting folder.i had setting with kees's rules and even change from allow to denied with user intiated.any ideal. one thing is eveytime i start the trojantest, my sensiveguard tray icon dissapeared due to the test shutdown explorer and restarting again but the process still running in the background.

 

Korb,

When I tried trojandemo I got the following response (see pic). I did not bother further. With your experience mentioned, I re-ran the test. When reading the logs I noticed that the file protection does not catch trojan demo, but the network protection does. Mmm strange with my first test I though I had 'shot in my foot', because I initiated the start of Trojan.exe. Next I did the same test like you did (also disabling user initiated reads), but appearently SensiveGuard is not able to stop Trojan.exe from reading the disk, only from initiating outbound traffic.

 

at first i thought it was maybe due to the placing of the rules,i delete all rules and just setup only 1 rule .to denied any reading to document and setting folder.but sensiveguard still failed the test.it did not albe to log the activities too.

sorry, did another test.but just to confirmed again,will do a reboot again as my sensiveguard icon missing.i guess i make a mistake naming the file name.

 

Hmm, I dislike this, time to switch to R-guard or ParadorFileProtection may-be?

 

well maybe not,check my rule again.i did make a mistake here, the file name should be *.* instead *. to cover every files.so it was my mistake.sensive now able to block bufferzone test accessing to folder but still i need SSM to stop the test from terminating explorer.

 

EQSecure is already took me by storm just that fast and as strongly as SensiveGuard failed my config miserably.

Another new learning curve but so far shows extreme good potential. This one is going to be worth watching.

Is this already been around awhile in the Orient or is it new?

 

Btw, since you all are already testing quite a few apps, why not take DriveSentry for a testdrive? When it was launched months ago, I didn´t exactly know how powerful and how useful it was, perhaps you can give me some insight. Has it become any better?

http://www.drivesentry.com/moreinfo.htm
https://www.wilderssecurity.com/showthread.php?t=153419&highlight=drivesentry

 

I have a funny feeling that firewalls, IDS and HIPS are possibly on the wrong side of the fence as per protecting Windows from this new generation of "devastation-ware." I've been working with an experimental install of Win 98 SE to an encrypted virtual drive, with reflexive boot-up files such that the encryption algorithm and the reflexive boot-up files change with a near random frequency. The boot-up files, if deleted by some very, very intelligent hacker or malware writer, have been loaded into the proper places in memory, and regenerate via an algorithm on the encrypted side.

ONE BIG PROBLEM: With this level of security, it is very difficult to install certain software! So much for viruses, worms, trojans, malware and some legit software too. This concept needs a wee bit more work, because I don't want to disable encryption when using broadband and while installing software.

This works well with XP SP2 and Vista, but the same software intall bugs persit.

Dave

EDIT: The installation bug has been resolved: when all else fails, use the subst command, a few disposable batch files, one command.com, an access text log and a few DOS babies. Regeneration of batch files prevents a malicious DOS batch file from doing any damage.