default download folder settings?

Discussion in 'other anti-malware software' started by acr1965, Apr 8, 2011.

Thread Status:
Not open for further replies.
  1. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Windows 7, SP1, 32 bit UAC enabled, running as admin

    I'm not sure where to put this question so I figured might as well be here. Anyway, I want to make a default download folder on my desktop for my internet browsers: firefox, chrome, IE and opera. And I want whatever is downloaded to those folders not be able to install or execute without my intervention (ie right click run as admin or whatever). This is to keep anything from downloading and installing/running via a drive by download. Even though I have UAC enabled it's my understanding that some malware can circumvent UAC protections. I am assuming I will need to set the permissions of the folder?

    Would such a set up work to prevent drive by downloads from installing on my computer? If so, what settings/permissions in the folder should make? Would it make any difference if this folder was on my desktop verses some other location?

    thanks

    PS- I am not interested in running as a limited user
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    see https://www.wilderssecurity.com/showthread.php?t=296391
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    The easiest ways most likely would be to apply a Deny Execute to the directory using something like icacls. Useage would be like this:
    Code:
    icacls "c:\folder name" /deny users:(oi)(ci)(x)
    This will deny anyone execution rights to an executable file type within that directory. As well, the OI and CI will make any subdirectory or file also inherit this same restriction.

    You could also use SRP to deny execution within the directory. The advantage of SRP is that you have an easy way to control what file types will be denied.

    You could use Sandboxie to allow executions within that directory, but force the processes created into a sandbox that is denied network access, etc. The advantage to this is that you can still execute what is in there, and know that within the sandbox you can examine it, etc, but it cannot get out, and you can block outbound network as well.

    You could set the entire directory to a Low Integrity Level as well, and use different flags with it like No Execute Up. This would be a compromise situation. It holds some promise for a unique setup, but requires more finesse to give good security.

    Regarding where you place this directory, I would leave it in the c:\users\user-name\downloads location that is default. The only reason for this is it requires less work to use. Many programs will look there by default, so it saves you a step. It really doesn't matter where I suppose. I would probably keep it in the %userprofile% area somewhere though, rather than move it to c:\ or something.

    HTH.

    Sul.
     
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    ok thanks for the info- will try these out
     
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    is that ^ better than setting the folder to low integrity?

    Code:
    icacls "c:\folder name" /setintegritylevel (oi)(ci) L /t
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I don't believe there is a "better" between these two. They are different. I think that each can serve a purpose, and each has drawbacks. At times they might be used together, and at times apart.

    I think in this case, the request was how to keep things from executing, and the simplest measure is to add a Deny Execution flag to the directory. Using an Integrity Level could be used, but it is not as clear cut as Deny Execution.

    Sul.
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not to mention that setting a low integrity level won't prevent anything from executing. It will prevent from executing to places with a higher integrity level, only. But, it can still execute to places with a low integrity level.

    The best, IMO, would be to set both a low integrity level and deny execution using the 1806 trick/remove execution permission.

    The 1806 trick would still deny execution no matter where you place the executable afterwards, as long as it's downloaded with the web browser, and not using a download manager. I hope I'm not mistaken, but if downloading with the web browser, under Sandboxie protection, moving the executable out of the downloads folder will kill the 1806 trick.
     
  8. x942

    x942 Guest

    I do this:
    App locker: nothing can execute except from windows folders and my "installer" folder.
    Deny execute on the downloads folder as well
    Low integrity on downloads folder
    Also I block scripts from the download folder and Temp folder via AppLocker

    This way I have to right click unblock than move it to my install folder, than right click run as admin (no installer detection), switch to secure desktop and enter my password :)
    And that is on top of my other protection. This may be a little over kill but it works well :)
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    The 1806 only utilized the ADS (alternate data stream) in a certain way.

    When executing a file with a proper ADS, you will:
    1. be shown nothing and file executes
    2. be shown a prompt to execute (yes or no) along with a message about the file coming from the internet
    3. be shown the execution is being denied
    4. be shown nothing as the execution is denied

    The browser you use to download the file with will create different ADS. IE and Chrome seem to create the best, while firefox and opera do it differently, and the results I suppose end up the same, just different.

    The ADS should follow the file from Sandboxie to the real location provided it does not pass to a drive that is formatted in FAT instead of NTFS. Only NTFS allows this ADS to exist. Indeed copying files to a FAT drive, then back to NTFS drive is enough to "cleanse" the files of ADS that might exist.

    The 1806 trick is a nice feature if one wants to deal with all those messages. The ADS is file attached, so in order to execute it, you must set the properties to allow execution if you are denying by default. If one is happy with the prompt to execute, then it is somewhat easier, although perhaps less secure in some instances.

    I don't recall if I specifically tested an ADS that migrated from Sandboxie to the real system. Perhaps it does not follow along.

    Sul.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    As I mentioned, I didn't remember if it was what happened, with Sandboxie. I no longer use Sandboxie for my web browsing. There's no need. But, I did verify it, and I was wrong. Most likely, something else came into play, back then. I don't know what happened... For all I know, the registry entry could be to its normal, and I totally forgot about it, which is the most likely scenario. :blink:

    Anyway, I just wanted to make users aware that the 1806 trick won't apply to download managers.
     
  11. x942

    x942 Guest

    Deleted

    EDIT: Sorry didn't see previous post :(
     
Thread Status:
Not open for further replies.