Feedback asked

Discussion in 'other anti-malware software' started by Kees1958, Sep 21, 2010.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thats pretty much it.

    Currently the UI (user interface) is changing daily it seems. Some features are being added and some possibly dropped as we sift through the best methods. After we have a UI that makes the most sense, I will get the basic components up and running. At that point I will probably create a devoted thread for it. Updates and that sort of thing will be there. Once it leaves alpha and is stable enough to go public beta, I will put it on my website. A few advanced users have expressed interest in testing it, so those will hopefully become the alpha testers, because they can "undo" anything that might go wrong.

    I like to get pretty technical with my little tools. Kees is the mind behind Keeping It Simple Stupid. He also comes up with this wild stuff quicker than I can fully research the mechanisms and design a UI for it. The UI design is fairly close, but I have complete confidence in Kees that he will find another strange setting or two to add to it :D

    Sul.
     
  2. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    207
    This is a very good idea. Thanks for thinking of implementing it.
    OT: I'm a long time kmeleon user ;)
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @ Sully,

    Nope, a requirements freeze is applicable as from today ;)


    @Others

    Because Microsoft allways applies backward compatibility (they learned the lesson of the joint development of OS2 see http://en.wikipedia.org/wiki/OS/2 ) some mechanismes interact strangly on each other. Which makes it hard to achieve consistant results in different settings.

    So the first discovery journey was in establishing a working set of mechanismes which would result in a consistant behaviour.

    After having establishes this the User Interface had to be designed. We did fall into the trap of trying to develop a Noob's interface while constantly keeping open the Geek's options. Some time ago we decided for a wizard approach, which turned the UI up side down.

    Please wait and see what the result will be: A security enhancement which can be used by average PC Joe/Jane and will be a plus to any setup (without pretending to being the cure of all problems).

    Regards Kees
     
  4. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    @Sully (since you know all the technical stuff)

    When Safe-Admin is out and it does what it does, Let me recall this so I get it clear

    First about UAC:
    1. I can not install an unsigned driver
    2. Only signed programs are allowed to elevate
    3. When they are located in Windows and Program Files directories.

    I know they are reported issues about signed programs being hacked/containing malware, but I think the problablility is low to encounter such a thing (I only have installed Office Pro and Chrome - from Google Pack on my PC).

    The above UAC settings will prevent my 'user' programs (running medium rights as you say) infecting my 'admin' programs (running high rights).

    When my two 'risky' programs (Chrome and Outlook) run low rights, UAC prevents them from infecting my 'user' programs. I have set Chrome to lock my download directory (making it impossible to download in other directories). This directory is protected with the No-Execute-Up thing (whatever), as will be the mail directory of Outlook.

    Here are my questions:
    1. When I download my E-mail attachements in the download directory are they also 'safe' (e.g. locked by the No-Execute-Up thing)?

    2. What happens when I move an attachement or executable out of this directory what are the consequences? Does it keep the No-Execute-Up thing?

    3. I occasionaly import documents from USB disk (I have autorun disabled and Avast installed, which checks the disk when inserted). Is there a way you guys could think of something simular for my USB disk (based on the drive letters)?

    Regards Newby


    Edit:
    I think I found the answer in https://www.wilderssecurity.com/showpost.php?p=1748703&postcount=231
    So my guess that 1 = Yes and 2 = No

    I did some Googling on USB and ACL and found this http://www.zecurion.com/zlock.php so maybe you can do your magic :D
     
    Last edited: Sep 24, 2010
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Sounds about right if all those options are applied. Regarding signed programs being rogue, well, what can one do. If a security feature is a signed program and you use that feature, how does one verify the signature to trust the program? Tis a never ending circle, isn't it.

    UAC itself allows the "default" Medium Integrity Level to be applied when a process starts. The token UAC uses is the Standard User token. So you have two layers of rights so to speak: a standard token and an Integrity Level. When UAC elevates, it changes this to admin rights. SAFE doesn't really change what UAC will do, it will force certain parameters, such as those listed above, and apply what is known as an Explicit Integrity Level - meaning it will force the object(s) in question to start at a Low Integrity Level, even though the token will still be that of a Standard User.

    Yes, if you have applied it to your downloads directory.

    This is an area of discussion still. When you apply an Integrity Level to a directory like one for downloads, you must tell the Integrity Level to apply to all child files and folders for it to be effective. Once an Integrity Level is applied, whether you directly apply it or it is inherited, it stays with the object as long as it is in the OS and on an NTFS drive. Moving the object normally does not change this effect.

    Lets say you downloaded a zip file and an installer.msi file. SAFE has been applied for the download directory, either browser or email. When the file is created in the downloads directory, the IL that SAFE applied gets passed on to child objects. So your zip file and installer.msi will now have an Explicit Integrity Level of Medium with the NoExecuteUp flag set. This allows you to execute the program within windows explorer at the default Medium level that UAC would run it at anyway.

    The SAFE part is that when your Low IL browser process tries to execute one of these files, because when they are created they are at Medium, the NoExecuteUp flag that they also are assigned prevents the Low IL browser process from creating a process at Medium IL. Remember the laws of Integrity Levels say that a lower IL cannot "mess" with a higher IL. The NoExecuteUp is the mechanism we employ here to keep the Low IL from executing the Medium IL.

    But there is a drawback of sorts. Because the Integrity Level is Explicit, it will follow that file wherever it goes. One way to rid this is to copy the file, maybe the installer.msi, to anywhere else. The copy will have no Integrity Level. You could then delete the original. It is also possible to remove the Integrity Level. Removing it will most likely come from a context menu option or something. If you don't remove the IL, it may or may not be a drawback. If the object never needs to run at admin rights, it will not be an issue. However, if the object needs admin rights, the Explicit Medium IL it has will mean that it will always start at medium, even if an admin level process tries to start it.

    You could drop the file from the USB into a directory that has these same setting applied, which would then stop Low IL processes from executing it. I don't know this would do you much good. You might be able to format the USB as NTFS and apply the Integrity Level to it. I don't know, I haven't tried that.

    It is interesting that you bring that up though. The 1806 tweak that Kees posted some time ago allows you to utilize the Alternate Data Stream that M$ puts on every file it downloads from the internet. Lets discuss that for a moment, maybe some ideas can be formed.

    I will state right now that SAFE is considering dropping the 1806 feature in favor of the Integrity Level No-Execute-Up option.

    Every file downloaded with a program that supports it adds what is known as an Alternate Data Stream. Some programs (Firefox and Opera) don't support it in the way others (IE and Chrome) do. In the normal method, a value is written to the ADS (Alternate Data Stream). It is always there. The 1806 option simply tells the OS what to do with that value.

    The ADS value simply states that this file came from the internet. The settings for 1806 will either ignore it, prompt you for permission to execute, deny execution and inform you it denied it, or just deny it quietly. It use could be that by default anything downloaded from the internet is denied execution by default.

    Getting rid of the ADS is easy, changing the value of the ADS is easy. The weakness of the ADS is that it can contain things, such as executables, that can be malicious. There is a lot of talk about the negative sides if you research it a bit. FAT32 drives don't/can't use ADS. If you copy a file with an ADS to a FAT32 drive, then copy it back to an NTFS drive, the ADS will be removed.

    In one sense the 1806 tweak is a good one to use to stop execution in the downloads directory. It is easy to apply and remove. But, it also only applies to a set of file types. There is the off chance that a certain file type might be downloaded and executed that the "list" ignores, and thus could be exploited.

    What is interesting about this is that there are some options on using this approach. One such option is that when you copy a file from the local network, you can do the same thing. In other words, you download a file from another computer in your house, it can have an ADS and deny execution the same way it would from the internet, if you enable it. Could this be applied to drives other than the OS? I don't know. It would be interesting to see if there was a way. If there were, then it would provide a unique protection from USB drives.

    For example, if you have applied Panda USB vaccine to the USB stick, no autoruns will occur from it. You have closed one door of infection there. If the 1806 type setting could be applied to it, you could then copy a file from USB to your computer, and by default it could not execute. You would have to take a measure to make it happen. In this case, if you copy a directory over, with multiple files, and you decide to execute one of them, you would have to allow it execute. So you do that, and execute it. It in turn attempts to execute something else in that directory, maybe a worm or something. It all depends, but maybe the ADS on the worm prevents the process you started from being able to execute it. Now I don't know if this is even possible. Your question simply made me think of this and wonder about it.

    HTH.

    Sul.
     
  6. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Okay

    1 and 2 both a YES, great. I would opt for a right click remove feature.


    About USB


    Okay, so I managed to format my 4 Gig USB disk to NTFS (it was fat32 or something).

    When I understand you correctly, you could provide a right click option in Safe Admin. When I position my mouse on my USB drive right click it have an option to 'Deny Execute' wash all files stored with the '1806 trick' (adding some info to the files which states they are from the internet and not allowed to execute).

    I realise that it may be is not apropriate for a Newby to ask for an extra option, but please for an avarega PC user like me it would close all 'risky' entry points (Internet, Mail, USB).

    I don't mind the extra task to provide to right click and select 'Set deny execute for all thingie'.

    Regards Newby

    Please, please :D
     
  7. Yakuman

    Yakuman Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    75
    What if I have a portable browser or if I set my cache folder to be the same as the browser's directory stored in C:\Program Files\browser\ ? Will it still protect against drive-by-downloads in that case?
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You need to go a little deeper.

    An Alternate Data Stream is, in laymans terms, a sort of hidden file that is "attached" to a regular file (it is not that really, but sort of). Anyway, the browser creates this ADS when you download a file from the internet if it is programmed to do so. The typical value in an ADS is just the number 3. This indicates it came from the internet.

    The 1806 setting I believe has a default value of 1. This means it will prompt you with something like "Are you sure you want to run this file, it came from the internet". Now you must remember, this is a Zones setting, so if you change your internet settings for IE, this too can change.

    What Kees brought forth was the fact that 1806 has other values, namely 2 and 3. These are registry values for the 1806 registry key. If you set it at 2, you get a deny with a message telling you it was denied. If you set it at 3 it will deny silently.

    There are other Zones that you can apply this to, such as the intranet zone. It works in the same manner.

    When you want to execute a file that is denied, you must right click it, then choose properties, then choose "unblock". You could do the same thing though by modifying or removing the ADS. That is what I would do, modify it. Once the ADS no longer has the value that the 1806 registry key is looking for, it is ignored.

    But remember too, that not all file types are denied with this. Only certain ones are. You can modify it, it lives in the registry (the list that is).

    So in your case, you format the USB stick as NTFS. Now set the 1806 value to 2 and it should be denied if you downloaded with IE or Chrome. Firefox and Opera do things a little differently, so files downloaded with them don't behave exactly as planned. If you copy one of these downloaded files to the USB stick, they should carry the ADS with them, thus any computer utilizing the 1806 deny execution tweak should block the execution. To execute it then, you need to change that ADS value.

    It is easy enough to create a little tool to modify the ADS with a right click, even if it doesn't make it into SAFE. It is not so easy to fill a USB stick up with files and then create the ADS for them all. That would be quite slow. But it can be done.

    We must wait and see how SAFE ends up. If the ADS features are not in it, I will make a stand-alone tool that lets you manage it easily. How does that sound?

    Sul.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    The idea is to tell your browser to save downloaded files in a "downloads" directory. It doesn't matter where that directory is located. SAFE would then set an Explicit Integrity Level of Medium with the flag No-Execute-Up enabled, and it would apply this to all child objects and sub-directories in the downloads folder.

    So yes, it will still protect against the browser running at Low Integrity Level from being able to execute a forced-to-Medium Integrity Level of the objects in the downloads directory.

    Sul.
     
  10. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Alot of Win 7 processes are. To see which ones are, which are disabled and those that are not allowed, open Task Manager > View > Select Columns...
     
  11. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    great :thumb:
     
  12. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,545
    I'm so waiting to try this :D
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I hope I haven't miss it, but... has anyone already tested running a few e-mail clients, and check whether or not they will work 100% with a Low IL? I haven't, and won't, at least, in these days to come, as I'm busy with other tasks... Boring ones, I must say.

    I ask this, because, well... as you may be aware both Chromium/Chrome and Internet Explorer 7/8/9 (IE in Vista/7) run with Low IL, but not fully. The parent process runs at Medium IL. The reason is to prevent issues from happening.

    So... forcing an e-mail client to fully run with a Low IL, may break certain functionalities.

    For example, and this about Opera browser. If one sets it with Low IL, and then if you try running it under a different user's credentials, it will fail to run, because it won't have enough rights to access user profile, despite the fact the user profile is also set with Low IL.

    Any of you, bravehearts, is up to the challenge? :D
     
  14. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Status update please. :)

    I don't know if Mr. Woojoo has PHP but some blog software might spritz up the site some.

    No sql required!

    PivotX content management with themes; Bare Bones, Digg Style, Indian Summer, Magazine
    CMSimple content management with themes; Graidltwin, Curv1, Stripemee, Cuteal, Tablez, Aikido, Limer
    Pluck-CMS content management with themes; Blue Pigment, Computerised, (Free CSS Templates) Club House, Nourish, Precision,
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    It is in Alpha now.
     
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Awesome!

    I wonder if Santa Clause will be coming early this year. :D
     
  17. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,545
    Can I test it now? :shifty: :D
     
  18. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    725
    Location:
    Cumbria, England
  19. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,545
  20. vhick

    vhick Registered Member

    Joined:
    Jan 21, 2006
    Posts:
    224
    Location:
    Noypi.........
    I want to try Safe Admin but when I click "SAFE_a10.exe", nothing happens.

    please help me.

    Thanks..
     
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This small code piece illustrates an idea for a context menu action. The .exe requires command line parameters to work. This is probably pre-alpha, if that is even possible ;)

    If you place the .exe at c: and then merge the .reg file, you can test it. If you decide to place the .exe somewhere else, such as c:\test, then you must modify the .reg file to match where you place it. If you don't understand what I just stated, perhaps it would be best to wait for a bit yet :) It is removed by deleting the menu entries from the registry manually. These menu entries (as I found out) are supposed to be supported by win7 only, so I don't know how it works on Vista.

    Once you merge the reg file you then will have a context menu entry that allows you to add a parameter for the file you clicked on. The parameter is an App Compatability parameter and will, by your choise, either be set to RunAsAdmin or RunAsInvoker.. or remove it. If you are using quiet mode UAC then these actions will happen transparently. If you are using any other UAC mode, then you will get a prompt, depending.

    This is not the full app, merely a test to find out thoughts/opinions on context menu activity.

    What you probably want to use is not quite ready yet. I will have a context menu version up soon, time permitting. This will likely be a beta of the core components, but without a UI. The feedback I get from the core components will very likely dictate just what I do to the UI.

    Sul.
     
  22. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    kees, you asked for feedback, make sure to create a layman install log. It sounds great, but honestly, I have yet to understand a bit of it. I want to use it, but am afraid to try.

    Kind of how BlackSpears created the setup log for Eset. He may not know it, but it is still utilized to some degree on a daily basis.
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    We have talked about this, it is in the plans.

    Truly though, what SAFE does is probably not as tricky as you might think. Many of the core settings are just registry values that will be changed from default. The defaults are known, so in a complete meltdown, a simple .reg file could bring those back to normal.

    Other things are appended to the registry, such as the App Compatability values. Again, it is very easy to remove all of the values and start from a fresh state.

    The items that will be most troublesome in terms of knowing what happened will be the Integrity Levels and Deny Executions. These can happen per file or folder, and can happen (in advanced mode) at users discretion. In basic mode, it will be pre-determined most likely, so again, programatically reversing the actions is fairly simplistic.

    EMETv2 has its own method to show what has been applied, so in the event of a meltdown, you could quite easily remove all of them and then reinstall back to defaults.

    We have decided to utilize the registry to store all information that is modified: what files/folders have been applied an Integrity Level or Deny Execution, what files have been virtualize or RunAsAdmin.

    I can't say it will be fool-proof, nothing ever is. What I can say is that I hate bloated and convoluted applications that require too much clicking. If you are comfortable navigating the registry, then this tool will pose no problems. If you are not comfortable in the registry, you will have to rely on the removal mechanisms. Either way, from a programming stand-point, it is very simplistic. The hard part is implementing it all ;)

    Thanks a lot for the feedback, it is exactly what I am looking for!

    Sul.
     
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    you are welcome sir. Maybe it is time to create a forum with stickys for this project instead of hunting or being pointed to specific threads. Wilders?
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Not quite there yet. When I get a beta out the door, it will have to be consolidated. Right now it is still odds and ends of different thoughts that are not quite cohesive.

    But you are correct, it will need "one thread to rule them all, and one thread to bind them" :argh:

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.