Easy security for anti-exploit & anti-ransomware

Discussion in 'other anti-malware software' started by Windows_Security, Apr 5, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Secure folders allows you to protect folders. When you set a folder as read only, ransom ware can't encrypt the files.

    Idea is to trust a few programs which write to your data partition. Seperating your documents from system folders by creating an extra data partition is good practice. When you don't know how to create a data partition, then this program is no good for you, because the configuration only works correctly when you have seperate partitions

    See picture on how to add trusted programs. I don't have my Mediaplayer and PDF reader added to these programs, because these programs only read the files, so they don't need to have write/delete access. Besides my office programs, I have allowed Windows Explorer (is my file manager) and syncback free (is my backup program).

    Trusted Applications.png
     
    Last edited: Apr 5, 2015
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Next protect your data partitions. I have set a read only to my D and M partition (D=documents, M=media files). Now ransomware can't encrypt these data partitions anymore. As an extra I have also set a deny execution to my the Users folders (no-execution see first line in picture).

    By allowing write access to Appdata (located in C:\Users), you only have to allow a few programs write access to your data partitions. By setting a deny execute on (all) User folders, all places normally accessible by internet facing programs are protected by a deny execute, so they don't need to be in the trusted list.

    Mail programs, write their content to a directory somewhere in your C:\Users\[your name]\Appdata. Browsers do the same and they drop stuff in your downloads folder, normally located in C:\Users\[your name]\Downloads.

    This is a nice catch 20-20 situation, internet facing programs can't do any harm:
    a) They can't execute in C:\users (user folders) (anti-drive by execution)
    b) They can;t write to your data partitions (anti-drive by and anti-ransomware)




    Protect Folders.png
     
    Last edited: Apr 6, 2015
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Wait Kees, you have created a hole in your no-execution defense, Windows Explorer is able to start progams. Correct see picture, I have moved Wordpad to temp folder and it is allowed to start by a trusted program as Windows Explorer.


    Allow start by explorer.png
     
    Last edited: Apr 5, 2015
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    But here is the trick, I assume Secure Folders sets ACL's these are set on user. In the advanced settings there is an option to enable Secure folders in safe mode (NEVER DO THIS). So I wondered whether an elevated user was also allowed to execute, so I tried RUN AS ADMIN and setting a RUN AS ADMIN in the compatibility options (see picture 1 and 2).

    And voila, Secure folders did not allow to run. This implies that the trusted programs are only able to run as medium level programs. UAC protects Windows folder and Program Files folder. So again a catch 20-20. Secure folders does not allow a program to run elevated and UAC does not allow an unelevated program to touch Windows and Program FIles.

    Right click run as admin
    Block Run as admin_1.png


    Compatibility mode run as admin
    Block Run as admin_2.png
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Next password protect Secure Folders.

    PLEASE: DON'T FORGET TO DISABLE PROTECTION BEFORE UPDATING WINDOWS/PROGRAMS

    Password Protect.png
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Now we want to harden the trusted programs, so first step is to add anti-exploit protection. Anti-exploit protection, by block loading scripting DLL's) harden trusted programs.

    Download EMET 5.2, disable Certificate trust pinning and remove your browsers from the Aps list (use MBAE free for that). Next use ASR's option of EMET to block loading scripting DLL's

    I block these DLL's (html, flash, jscript/javascript, visual basic script, powershell script) in my Office programs and Mail: ASR: mshtml.dll;flash*.ocx;jscript*.dll;vbscript.dll; pwrsh*.dll


    Block script dll's.png

     
    Last edited: Apr 5, 2015
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Anti-exploit protection step 2: move problematic scripting DLL's from ASR to EAF+) in EMET to harden the trusted programs

    Some programs will give you trouble, because they need that DLL, solution remove the DLL displayed in EMET pop-up (including wildcard *) and ADD these DLL's to EAF+ protection: typical candidates are Media-Players and Mail-Readers. See picture where i have removed

    MSHTML.DLL and JSCRIPT*.DLL at ASR and added it at EAF+


    EAF+.png
     
    Last edited: Apr 5, 2015
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Complete anti-exploit protection (step 3): Download MBAE free and disable command: see http://www.sevenforums.com/tutorials/87750-run-command-enable-disable.html

    Because MBAE free protects your browsers in an intelligent way, you have the benefits of the smart protection in your browsers with full functionality, while using EMET's ASR (attack surface reduction) for dumb blocking of scripting DLL's in your trusted programs. Downside is that you can't run scripts in office documents, but that is the price you pay for free (buy MBAE PRemium when you need scrpts to run).

    Use a browser with a (free built-in) sandbox, like Chrome and you are good to go.
     
    Last edited: Apr 5, 2015
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Nice tutorial, Kees. Thnx :thumb:
     
  11. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    441
    Location:
    The Outer Limits
    Good clear step by step info. :thumb:

    I wonder has there been any testing of this set-up, not that it needs it, more just to see in action ?

    Regards Eck:)
     
  12. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    333
    Testing such a scenario would require quite some 'custom' code and time. And I don't think that any researcher would spent time testing a set-up which does not yield a profit in any way.
     
  13. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Bingo, you nailed it. :thumb:

    That is part of the beauty, use OS-mechanisms to add extra protection without adding much code, this reduces the chance that an intrusion is successful, simply because the effort to evade this non-standard setup does not yield a profit (target group to small with to much hassle).

    So an attacker would have to pass targeted application, like Chrome of Winword (1) & MBAE or EMET (2) & SecureFolders using ACL (3):

    a) drive/by & social engineering = download + obfuscated user triggered execution of malware (MBAE + no execution)
    b) ransomware = obfuscated user triggered execution of malware (no execution) and encryption of user folders (read only)
    c) exploits = execute script (EMET-ASR) + exploit bug (MBAE/EMET) + access to shell (7 forum regtweak) + drop payload (MBAE+read only) + execute payload (MBAE + no-execute)
     
  14. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Maybe someone with win 8.1 could test
    - set smartscreen to admin approval
    - check whether securefolders would block UAC prompt of smart screen when running a program downloaded from the internet
    (this would turn it into an even more secure default deny on Win 8/8.1)
     
    Last edited: Apr 5, 2015
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    I've tested it on Windows 8.1 in VM. If I set my download folder to no-execute, execution is blocked before I get any message from UAC.
     
  16. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    @Minimalist :thumb:

    Thanks for testing, so on Win 8/8.1 this setup is even stronger as on Win7, great, so
    On win7 = anti-exploit, anti-ransomware and anti-elevate (user space)
    On win8 = anti-exploit, anti-ransomware and anti-execute (internet zone)

    Regards Kees
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    I tested the same configuration on Windows 7 and got same results as on Windows 8.1: "Windows can not access the specified device..."
    Maybe I didn't understand what you wanted us to test?
     
  18. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Did you add windows explorer as trusted?
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I'm a bit skeptical about using "file and folder" protection tools as anti-ransomware tools. If malware injects code into trusted processes it's game over.
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    No, that was a problem. After adding Explorer.exe to list of trusted Apps I get UAC request on both systems. After elevating, Secure folder blocks execution on both system also.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    AFAIK at the moment most ransomware launches it's own processes and doesn't try to inject it's code into other processes. Some new variants do use file infection technique to spread themselves but that's the most I have read about it.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    That's a very good point. I like your explanation on the difference. I have always disabled UAC in the past because I used Online Armor, and it protects the system space, and program files folders. Now that i'm no longer using Online Armor anymore I think I should enable UAC again.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    No doubt it works, but it's the easy part I wonder about. Using Appguard's privacy protection does this and seems to be much easier to me. Thoughts?
     
  24. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Well easy in terms that in six steps, you get exploit/ransomware/execution protection for free, so when you have AppGuard + HMPA providing simualr protection (I do believe you have SBIE as well), than this freebie setup is completely redundant for you.
     
  25. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    @Rasheed187 is right, CTB-Locker and CryptoWall 3 are by far the most prevalent crypto-ransomware threats at the moment, and they both inject themselves in legitimate processes - meaning the encryption is actually performed by trusted processes. A limited overview:
    • CTB-Locker performs encryption from C:\Windows\Explorer.exe
    • CryptoWall 3 performs encryption from C:\Windows\System32\svchost.exe
    • VaultCrypt performs encryption from C:\Windows\System32\cmd.exe
    • TeslaCrypt performs encryption from its own process
    • CryptoFortress performs encryption from its own process
     
Loading...