Feedback asked

Discussion in 'other anti-malware software' started by Kees1958, Sep 21, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi, the design of Safe Admin (thanks to Sully) is nearly finished. It will be a user friendly application for Vista/Windows x32/x64 running admin with UAC on.

    It improves UAC security by
    a) Elevate only from safe locations (is C:\Windows and C:\Program Files)
    b) Disables installer detection (you need to right click and run as administrator to install when not safe location)
    c) option to only elevate signed programs
    d) Throws a warning (pop-up) when a non-signed driver tries to install

    It applies existing Windows features
    a) Running Browsers and Mail programs with Low rights (=protected mode, presets for Firefox and Opera included)
    b) Setting Download directories and mail directories with No-Execute-UP Access Control (this effectively protects you from drive by infections, it disables run from within browser or mail, while you can start downloaded executables with explorer without any interferance)
    c) Mitigating E-mail and Browsers with EMET 2 (Microsoft feature)
    d) option to run browsers and e-mail als virtualised processes, see https://www.wilderssecurity.com/showthread.php?t=282550

    Has an Avanced section in which you can contain processes often exploited (Adobe reader, Flash, etc).


    Please provide feedback on the options in red (include as options in Safe-Admin or not): would you like them in Safe-admin or not?

    Thanks
     
    Last edited: Sep 21, 2010
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    See picture. I have this as my setup with Windows FW 2-way with no other real time security programs. I actively am hunting malware domains (like Matt and Languy :D ) and have not (yet) been infected. It seems an easy to use (yes with Safe-admin program of Sully), low (less than default UAC) pop-up, safe and super light setup
     

    Attached Files:

    Last edited: Sep 21, 2010
  3. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    As long as it is easy to use, :thumb:
     
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    is this really improving UAC security or lowering for user-friendliness? :<
     
    Last edited: Sep 21, 2010
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    correct me if I'm wrong about how the built-in virtualization works...

    I think the system was the one shielded from the application... rather than the application shielded from the system. :doubt:

    ex: downloaded files wont touch the system... but keyloggers from the system can log keystrokes of the virtualized app etc.
     
    Last edited: Sep 21, 2010
  6. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Will this work for 'Home Editions' as well (XP Home, for example)? Thanks.
     
  7. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Please do a spelling check. I see in the image one or more words that are not spelled correctly. Example: applicatioin.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes medium rights applications have access to the user space. Only (auto) elevating from safe locations is only allowing allready installed programs to elevate (which you trusted otherwise they would not be installed). The safe locations are protected by UAC, so it creates a clear line.

    You can still install any program by right clicking and run as admin. It prevents sneaky installs/staged elevations.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yeh, but they can't execute, so won't install in the first place (RMUS mantra when it can't execute it can't intrude your system)

    Who is shielded from whom, is less important than the fact of having an extra safety net without cpu performance loss as fas as I undertstand it, but who knows more on this feature, please eleborate
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Vista was not a succes but it sure helped signing drivers and programs, so the option elevate only signed programs does not limit me in the useability of the system (most legitemate software is signed nowadays).
     
  11. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    program files can execute, and the one I was worrying about is my 'games' again.. they might have the ability to keylog or something.


    I can't argue more. :thumb:
     
  12. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I was thinking this virtualization feature is something like Sandboxie....
    have you tried checking if the virtualized files are 'flushed' after I close the application?
     
  13. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Hi, good work Kees, but I have a question if you dont mind, how does your program compare to sandboxie with the LUA option enabled? (on x64 windows that is).

    Does your product make UAC airtight? I recall reading that UAC want implemented as a full security solution due to potential conflicts with programs, its kind of a half hearted attempt by MS to do sthg about malware but not quite there. Google 'UAC bypass by malware'
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    See https://www.wilderssecurity.com/showpost.php?p=1753529&postcount=239
    and https://www.wilderssecurity.com/showpost.php?p=1753792&postcount=242

    It is actually Sully's program. It is not a question of OR it is AND

    Safe-Admin provides a better UAC and a low rights world
    1. Providing a better UAC border between Medium and HIGH rights.

    Microsoft realised some pretty good security mechanismes DACL, SACL, UAC, Virtualisation in Vista. Due to compatibility and as you mentioned half hearted design principles, UAC is stange duck: it does not have an option to remember but it has an option (e.g. intelligent installer detection) for malware to abuse.

    Safe-Admin overcomes this. Even when you decide to set UAC to Quiet elevation (you get no prompt) the Safe-Admin + Quiet elevation provides much more security than the alternative (disabling UAC). When you now use the default UAC, the security gets way better.

    2. Providing a Low rights world for mainstream Browsers and Email.
    Chrome runs fully isolated in policy container+job+alternate desktop, Internet Explorer runs is a low rights policy container, Firefox and Opera run medium rights. Safe -Admin applies LOW rights for all (so FF + Opera users win) plus a drive-by protection (No Execute UP of download directory) for all browsers plus EMET-2 protection (a security tool of M$). The same is done for your e-mail.

    Sandboxie has an option to run with Medium rights (Limited USer), Safe-Admin makes it runs in a safer Low rights environment. Also when you download a program, only outside the browser it can be started (same as anti-executable option for Sandboxie).

    Since Sully is a great fan of Sandboxie. He will make sure that SBIE will run nicely with Safe-Admin.

    Safe-Admin can be used with any other program, since it uses existing MicroSoft mechansimes. With a Vista/Windows Home version you will get a fair share of the benefits of a well configured Professional version without the cost and the required configuration knowledge.
     
    Last edited: Sep 22, 2010
  15. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    virtualized media players (wmplayer.exe, mpc-hc.exe) is goooooooood :D
    virtualized p2p downloader (utorrent.exe / limewire) is gooooooood :D


    but I'm not virtualizing my browser... :doubt: I think its fine... but I found out IE8 is already running virtualized even if I did not configured it to.
    yahoomessenger.exe is also automatically virtualized.
     
    Last edited: Sep 22, 2010
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Virtualised files are located in %UserProfile%\AppData\Local\VirtualStore

    So for me that is

    C:\Users\Kees\AppData\Local\VirtualStore


    Virtualised regsitry keys in
    HKEY_CURRENT_USER\Software\Classes\VirtualStore

    Cheers
     
  17. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    WOW. A secret project.
    You guys have been doing a lot of tweeking and now are putting together a product? Cool.
    A big issue with Windows is all of the tweeking required from a fresh install.
    1 hour to install and 3 to configure it.
    Is this going to be a combo of all the tweeks stuffed into a .net? :D
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    :D Not secret and no Dotnet needed :thumb:

    Configuration estimate: less than 3 minutes
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    .net?

    <shudders uncontrollably>

    Perish the thought.

    I like stand-alone executables along with .ini files or reg entries if needed. I have avoided .net intentionally. They call it dll hell for a reason ;)

    Sul.
     
  21. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    In my research I discovered a lot of programs are not signed, because the author doesn't have the resources available. Enabling this option will decrease user friendliness.

    I really like your project and don't want to discourage you, but are there outside of corporate environments still people using e-mail clients? The majority of people I know use gmail, hotmail/live or another webmail service.

    I'm curious how you want to virtualise e-mail clients? Which HTML rendering engine does it use and will it also be virtualized?

    Personally, I'm migrating from Outlook 2007 to 2010 for the following reasons:
    • Data Execution Prevention (DEP) support for Office applications
    • Protected View A feature that helps mitigate attacks by enabling users to preview untrusted or potentially harmful files in a sandbox environment.

    As with browsers, I'm migrating to Google Chrome so I can use the browser and both PDF and Flash plugins sandboxed.
     
  22. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    This software has a website or something?
     
  23. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Hi Kees,

    Reading the linked Wilders thread, you refer in the last post to an article which mentions; "Process Target Architecture. FARV is not enabled for 64-bit applications."
    Does Safe Admin enable this by default?

    Especially for Firefox (my one and only browser) this is welcome, even when Safe Admin puts FF under 'LOW'.

    I'm not really sure what you mean by this.
    Will 'containing processes' be different from running them virtualized with LOW rights?
     
  24. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    It's still currently being developed by Sully and wilderssecurity is the place to get infos about its development.

    But my wild guess it would be soon posted in Sully's HTML website like his other softwares ^^
    http://mrwoojoo.com/index.html
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Right now we are discussing circumstances associated with this setting and the best ways to implement it. It could be on by default on the chosen "preset" items such as Firefox. Not sure yet.

    I think Kees meant that there will be a way to create your own custom rules. The "presets" for things like Firefox or Opera, we will be able to determine what "default" values are. In most cases then it is expected that the install will be default. A customization area will be provided for other objects, maybe like Kmeleon browser or something. Your choise. The same methods, EMET, Integrity Levels, virtualization, etc will be available to whatever custom ruleset you wish to design.

    Sul.
     
Loading...
Thread Status:
Not open for further replies.