Disabling Dangerous Files?

Discussion in 'other security issues & news' started by xeda, Jan 4, 2007.

Thread Status:
Not open for further replies.
  1. xeda

    xeda Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    59
    I'm trying to harden my system by deleting or renaming questionable files.

    One of the files in question is FTP.exe.

    A few questions I have...

    1. Is FTP.exe commonly used in Windows exploits?

    2. Do any third party applications need FTP.exe to function properly? Applications such as Internet Explorer, or do they have their own built-in FTP functions?

    3. Would disabling FTP.exe or any other files help strengthen my system? Or would these files be dropped anyways in the event of an attack?

    Your thoughts? Thanks!
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,

    If and when a file is used / executed on your system without your knowledge, it means your system has been infected. This applies to any file. Therefore, disabling / deleting / renaming them is dangerous - you could end with an unbootable / crippled system.

    If you mean by FTP that you run an FTP server, that's a different story entirely, but this is the case here.

    Leave the files as they are. You should use a firewall and make sure that you do not locally execute malware.

    Mrk
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    I disabled the kinds of things you are looking to do by renaming them years ago with no problems. This would stop malware from making use of them if they tried to, so I think it is a good idea if you don't use them. Afterwards you could also create text files with the same names as the ones you have renamed, and place them in the same locations as the genuine files with the newly named extention.

    For example FTP.EXE renamed to FTP.OLD a new text file FTP.txt created then renamed to FTP.EXE You could include some text in there to remind you what it is and why etc.

    Another one to rename is TELNET.EXE and there are lots more if you wished to. Not just EXE's either but DLL's too.


    StevieO
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,
    And what if you need ftp and telnet?
    Mrk
     
  5. xeda

    xeda Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    59
    Well...I know for sure that I don't use Telnet.

    However, I'm not sure about FTP...

    Does IE use FTP.exe to upload/download files? Or does it have it's own built-in FTP functionality?

    The same question goes for malware. Do any of them use/need Windows files such as Telnet.exe, FTP.exe, etc. to operate? Or, do they have their own networking capabilities?
     
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    I have removed files like ftp & telnet in XP and I had no problems, eg download from FTP.
    I would like to do the same in Vista, when I have time, I will look for some dangerous files.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,
    FTP is also for upload. Besides, when you download via the browser, you're not using the ftp port on your computer, you're using the browser. Besides, both telnet and ftp are services, usually on manual or even disabled. So there's no need to kill the files. At worst, you can use Group Policies to prevent access to these tools or restrict them.
    Mrk
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Argh, you are right (screen), well I will just have to do a clean instal again to get it back. [​IMG]
    Problem with GPO is, that its settings can not be backed up so easily like security templates. :'(
     
  9. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    disabling is generally a move to "break" automated malware that might employ the files to spread or function, the alternative is to simply monitor the files (object auditing in the OS would show access or filechecker would show changes to the file itself)

    the ftp.exe can be employed by several applications including Windows Update and is one of the files Id be more inclined to simply log than actually remove\rename ;)

    If you do disable it make sure your AV, Firewall, ect are able to update still.
    And yes ftp is employed by malware quite often the initial infector using it to download a larger payload

    you can check \ restrict its NTFS permissions then test its still able to do what you need (for instance Windows Update) this may or may not effect the ability of the malware to employ it

    keep good notes and test functionality as you go along
    dont rush it if this is the first time your hardening an OS for your usage pattern\aps
    too many changes at once may leave you trying to figure out which one broke which ap

    most automated tools are rather lean, and dont bring along a lot of replacement files, relying on default permit, while an actual intruder can figure a ways around this stuff once into your box, its really a poor return on investment for them unless your sitting on top of a credit card database. The probabilities of a real honest to goodness haXor in your box is vanishingly small (unless he's found out about your massive p0rn collection :p)
     
    Last edited: Jan 5, 2007
  10. xeda

    xeda Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    59
    Thanks everyone for your help! :)
     
  11. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
    Besides ftp.exe, tftp.exe is another that's often used by malware to download further payloads.

    However, there's a problem with simply deleting/renaming these files in that Windows file protection may simply replace them. Better to restrict their usage with policies.
     
  12. xeda

    xeda Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    59
    You mean with Group Policy Editor? I'm using XP Home, so I'm not sure if I have this option. o_O

    I'm also trying to harden some 98SE systems of mine as well...
     
  13. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
    R. Click on file and select properties > Security tab and remove execute priviledges.

    IMHO 98SE machines shouldn't be connected to public networks any longer as they're no longer supported. Therefore, they shouldn't be at risk in the first place. Time to upgrade.
     
  14. xeda

    xeda Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    59
    Hmmm, that doesn't seem to work, I'm using XP Home...
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Wouldn't it be simpler to install something like Process Guard, then you would have complete control as to whether these progs ran or not.
     
  16. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
    Oops, sorry - those permissions are only available in XP Pro.
     
  17. GS2

    GS2 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    42
    Can you not just create limited user accounts for day-to-day activities; steer clear of the 'darker' places of the web; don't download and execute any file you don't trust completely; don't open attachments to emails and only view emails in plain text; install a software firewall and an anti-virus (and ideally a hardware firewall)

    That would seem a more prudent policy than deleting system files that may be needed by the OS. Also have a look at the services running on your system, many of them you don't need, so just disable them.

    All these security products are all very well, but no substitute for an aware and careful user :)
     
  18. herbalist

    herbalist Guest

    Contrary to popular opinion and what Microsoft would have you believe, Win98 can be sufficiently hardened and secured for internet use. The Win98 CD has a policy editor that isn't normally installed. It's somewhat different than the policy manager for XP.
    Instructions for installing poledit98 here.
    More info on using poledit here.
    Poledit98 is also available for download on the above link if you don't have the 98 CD.
    Rick
     
  19. xeda

    xeda Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    59
    I agree 100%. ;)

    Thanks for the link...
     
Loading...
Thread Status:
Not open for further replies.