Data access level protection

Discussion in 'other anti-malware software' started by Kees1958, Mar 16, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi all


    I am wondering why not more people use or want a protection on data level, as offered in R-guard, DriveSentry, CoreForce and SensiveGuard. I am seeing good movements (f.i. ProSecurity) of HIPS offering this strong level of protection.

    For instance in my set up SensiveGuard protects (as additional layer of protection on both HIPS and FireWall) against the following

    Any programs with internet connection
    Rule: user initiated - read allow, write - deny, non-user initiated read - deny and write - deny of files with extentions
    *.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys, *.ini,*.hta, *.drv

    Any Program
    Rule user initiated - read allow, write allow, non-user initiated read - deny, wite - deny of files with extentions like
    *.doc, *.xls, *.ppt, *. jpg, * mpg, *.mp3, *.wav, *.avi, *.txt

    This nice thing is when a malware is able to break through, you protect your files (executables like files from modifying and datafiles from reading/writing). Only a few whitelisted aps are allowed to modify (e.g. windows and security aps update).

    Most people are nowadays behind a harware firewall, with a hardware firewall even Stem says that few of these type of PC users need a full featured software firewall when using a HIPS like SSM or ProSecurity.

    So why are people so focussed on software firewalls and less on data walls when they have a HIP like SSM or Prosecurity.

    Regards K
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I do not see the need for "data access level protection" if I am sandboxing vectors of infection and I have a execution interceptor.
     
  3. korb

    korb Registered Member

    Joined:
    Mar 13, 2006
    Posts:
    150
    Location:
    singapore-thailand
    hi kees,how does you setup sensive guard against bufferzone test.i trying to figure out .
     
  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Depends on what kind of control you want. Maybe you want to control programs permitions, and with that, other users.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Have a look at this thread https://www.wilderssecurity.com/showthread.php?t=161749

    It is important that you delete the default rules of the file security policy, see the tread (picture of post #10).

    Next you add the following (in the file security):

    1. Any program - user initiated read + modify allow, not initiated by user read allow, modify deny, go to the directories and click "add"

    Directory C:\ enter file type *.ini
    Directory C:\Windows enter file types *.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys, *.ax,*.hta, *.drv
    Directory C:\Windows\System32\drivers\etc enter * (all files)

    2. Any program with internet connection (same for mail/P2P ap)
    user initiated read = allow, modify = deny, non user initiated (same allow/deny)

    directory is * (meaning all data), file types *.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys, *.ax,*.hta, *.drv

    3. Any program
    user initiated read = allow, modify = allow, non user initiated is read + modify set to deny

    directory is * (or your data drive e.g. D:\)


    Because the "user initaited" allow does not protect you in 'shoot in the foot' (you allow the program to start yourself) tests, the network firewall will cover for this when it is trying to break out.


    By the way, do you know a way to set EQsecurity to allow with tighter rules. When I change the rules from allow to block in the protection (ecexution plus driver loading is allowed, rest is all blocked), the allowed programs get allow, allow and the rest ask + allow. So in one way or another the changed ruleset of protection is not inherited by newly allowed processes/excutables.

    Thx
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    In traditonal security setups, both the functionality as the accessible data is limited per user or role. In this context it is strange that nice aps like R-guard and firewalls with this capability (CoreForce and SensiveGuard) are not given much attention.

    Regards K
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes this is something that I really need, I just hope that it will be nicely implemented in SSM Pro, it must not be too intrusive of course. For example, currently you do have this feature in Neoava Guard, but IMO it´s not really usable. At least, I haven´t found a way to configure it correctly without getting too many alerts. :)
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    NeoavaGuard and SensiveGuard run fine along side. When NeoavaGuard Beta 3 is out I will try the following NeoavaGuard with behavior filters only, Regdefens liteware with Toni Kleins set and SensiveGuard.
     
  9. mitchelson

    mitchelson Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    69
    FD seems much more important than RD or AD to me. In fact, if files and programmes are protected effectively, it is no need to use other HIPS apps.
    That is why I always use "SafeSystem 2006" and "ParadorFileProtection".
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thx,

    I have looked these programs up. Very nice, a pitty the Parodor screen examples are so small. Beciase SensiveGuard is not developed anymore I am looking for a replacement when we should migrate to Vista 64bits. Parador and R-guard are the ones I will problably try.

    Regards K
     
  11. EASTER.2010

    EASTER.2010 Guest

    Kees1958, very informative discussion on these indeed. Thanks. As i really have no critical need (at least as i see KIS6/Kerio covering), could SensiveGuard still prove useful in watching over system or other folders/files with write.read.delete preventions? Alerts? That much of it would be of some interest in this present setup of mine.

    A look over of ParadorFileProtection also shows some promise but not sure if i want to commit to a purchase of it when some free alternative might suit as well. Will have to study over that one.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    SensiveGuard is both a firewall and datawall. Best thing of SensiveGuard is that it recognises user initiated actions and non-user initiated. Also you can exceptions for programs and processes and set general limitations for any program, any program with Internet connection and specific programs like P2P (e.g. LimeWire), Mail and your Internet browser.

    In stead of re-active response (like tripwire), you have got pro-active response. I know you prefere Regdefens over MJRegistrywatcher for this (your qoute "kernel is pro-active, polling is reactive"). So a program like this would suite you.

    See the link of my SensiveGuard review in post #5. By the way do you know a good freeby to check the handle's of the SDT?

    Regards Kees
     
  13. EASTER.2010

    EASTER.2010 Guest

    Good question. I know i do but will take some time to sort thru some folders to get to it, when i do i'll post or PM it for you.

    Thanks
     
  14. korb

    korb Registered Member

    Joined:
    Mar 13, 2006
    Posts:
    150
    Location:
    singapore-thailand

    thanks kee, eh i did not install EQSECURITY, i need some more times to play with sensiveguard. trying to test bufferzone test.
     
  15. EASTER.2010

    EASTER.2010 Guest

    I'm sure there is a setting to completely disable the SensiveGuard firewall (untill i can assure compatibility) but make use of the data level protection if i read you right. Then doesn't this app take on the appearance of actually performing as a behavioral blocker/HIPS with files? Processes too?

    Thanks for the informative details. I like nothing more than to push one of my safety apps aside long enough to test this method for extra protection.

    EASTER
     
  16. EASTER.2010

    EASTER.2010 Guest

    Forget it! The thing couldn't even enter the GUI after boot up, i gave it 3 tries then had to settle for a System Restore.

    SensiveGuard is either very incompatible with my present config or it needs serious attention.

    That's all folks
     
  17. korb

    korb Registered Member

    Joined:
    Mar 13, 2006
    Posts:
    150
    Location:
    singapore-thailand
    i tried denied reading and modifying in my policy to test bufferzone trojandemon test,but it still able to aceww and read my document and setting folder.i had setting with kees's rules and even change from allow to denied with user intiated.any ideal. one thing is eveytime i start the trojantest, my sensiveguard tray icon dissapeared due to the test shutdown explorer and restarting again but the process still running in the background.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Korb,

    When I tried trojandemo I got the following response (see pic). I did not bother further. With your experience mentioned, I re-ran the test. When reading the logs I noticed that the file protection does not catch trojan demo, but the network protection does. Mmm strange o_O with my first test I though I had 'shot in my foot', because I initiated the start of Trojan.exe. Next I did the same test like you did (also disabling user initiated reads), but appearently SensiveGuard is not able to stop Trojan.exe from reading the disk, only from initiating outbound traffic.
     

    Attached Files:

    Last edited: Mar 19, 2007
  19. korb

    korb Registered Member

    Joined:
    Mar 13, 2006
    Posts:
    150
    Location:
    singapore-thailand
    at first i thought it was maybe due to the placing of the rules,i delete all rules and just setup only 1 rule .to denied any reading to document and setting folder.but sensiveguard still failed the test.it did not albe to log the activities too.

    sorry, did another test.but just to confirmed again,will do a reboot again as my sensiveguard icon missing.i guess i make a mistake naming the file name.
     
    Last edited: Mar 19, 2007
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hmm, I dislike this, time to switch to R-guard or ParadorFileProtection may-be?
     
  21. korb

    korb Registered Member

    Joined:
    Mar 13, 2006
    Posts:
    150
    Location:
    singapore-thailand
    well maybe not,check my rule again.i did make a mistake here, the file name should be *.* instead *. to cover every files.so it was my mistake.sensive now able to block bufferzone test accessing to folder but still i need SSM to stop the test from terminating explorer.
     
  22. EASTER.2010

    EASTER.2010 Guest

    EQSecure is already took me by storm just that fast and as strongly as SensiveGuard failed my config miserably.

    Another new learning curve but so far shows extreme good potential. This one is going to be worth watching.

    Is this already been around awhile in the Orient or is it new?
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
  24. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    I have a funny feeling that firewalls, IDS and HIPS are possibly on the wrong side of the fence as per protecting Windows from this new generation of "devastation-ware." I've been working with an experimental install of Win 98 SE to an encrypted virtual drive, with reflexive boot-up files such that the encryption algorithm and the reflexive boot-up files change with a near random frequency. The boot-up files, if deleted by some very, very intelligent hacker or malware writer, have been loaded into the proper places in memory, and regenerate via an algorithm on the encrypted side.

    ONE BIG PROBLEM: With this level of security, it is very difficult to install certain software! So much for viruses, worms, trojans, malware and some legit software too. This concept needs a wee bit more work, because I don't want to disable encryption when using broadband and while installing software.

    This works well with XP SP2 and Vista, but the same software intall bugs persit.

    Dave

    EDIT: The installation bug has been resolved: when all else fails, use the subst command, a few disposable batch files, one command.com, an access text log and a few DOS babies. Regeneration of batch files prevents a malicious DOS batch file from doing any damage.
     
    Last edited: Mar 25, 2007
Loading...
Thread Status:
Not open for further replies.