GeSWall & LUA+SRP+KAFU - is it a point?

Discussion in 'other anti-malware software' started by ICuba, Mar 29, 2009.

Thread Status:
Not open for further replies.
  1. ICuba

    ICuba Registered Member

    Joined:
    Mar 22, 2009
    Posts:
    21
    I would use LUA+SRP+KAFU together with GeSWall. My question - is it a point? Do LUA+SRP+KAFU give me a similar level of protection as if i use it
    togeter with GW? Maybe those apps duplicate each other, beacuase LUA+SRP+KAFU impose restrictions similar as GW but i'm not sure, isn't it? What do you think about that setup? I also use Avira on-demand.
     
    Last edited: Mar 29, 2009
  2. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Yes there is:

    SRP forbids programs outsid of system area.

    GesWall takes care of internet facing apps from system area + supplies cover to SRP in the unlikely event it would be circumvented

    These are two policy tools acting differently.

    LUA+SRP+GW
    LUA+SRP+DW
    The two strongest popup-free setups?
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Perhaps also
    LUA+SRP+AppGuard?

    Sul.
     
  4. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    If I use a Standard Account on Vista Home with Chrome/Iron as my browser is DefenseWall or GesWall or AppGuard still recommended?
     
  5. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Well, are you comparing a browser with a security application?

    Policy management complements very well any kind of browser, and it handles as well mailboxes, P2P, chat,...
     
  6. ICuba

    ICuba Registered Member

    Joined:
    Mar 22, 2009
    Posts:
    21
    Hey Lucy,

    Question about LUA:
    Should i run apps situated in Program Files as administrator (surun) or add new path rules which i choose the unrestriction option? What i should to do?


    ---------------------------
    Sorry for my bad English ;)
     
  7. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Certainly not.

    Under LUA, programs in Program Files are supposed to work as is (you need admin privileges to install them btw).

    I don't understand about "unrestriction". This seems to belong to SRP, and this is a different matter. In SRP, you absolutely need to put Program Files and Windows folders a unrestricted. Otherwise you won't be able to use your LUA anymore.
    You will eventualy have to add a new path, folder or file to the unrestricted list if you need to run a program installed outside of Program Files.
     
  8. ICuba

    ICuba Registered Member

    Joined:
    Mar 22, 2009
    Posts:
    21
    Because i set disallow in the Security Levels i can't run apps. I can only add a new path, folder or file and set as unresticted if i want run something, but you wrote not inside Program Files. For example i've IE in that folder so should i change IE's location ?
     
  9. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Program Files has to run unrestricted.

    So IE can run. If you don't want it to run, of course disallow it in putting it as disallowed.
     
  10. ICuba

    ICuba Registered Member

    Joined:
    Mar 22, 2009
    Posts:
    21
    OK, thank you for an explanation.

    Regards
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    There is a registry tweak to get a third option run restrcted (sorry I forgot how it is done)

    Cheers Kees
     
  12. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Already the case by default in LUA...
     
  13. ICuba

    ICuba Registered Member

    Joined:
    Mar 22, 2009
    Posts:
    21

    Here you are,

    additional levels: Basic user, Constrained, Untrusted
     
  14. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    If you apply LUA it is already the case. I don't think it brings anything more.
    It is useful only under admin account and if you wish to run it at LU level.

    Somebody knowledgeable to confirm?
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Code:
    SAFER_LEVELID_CONSTRAINED
    0x10000
    	
    
    Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the user rights of the user.
    
    SAFER_LEVELID_DISALLOWED
    0x00000
    	
    
    Software will not run, regardless of the user rights of the user.
    
    SAFER_LEVELID_FULLYTRUSTED
    0x40000
    	
    
    Software user rights are determined by the user rights of the user.
    
    SAFER_LEVELID_NORMALUSER
    0x20000
    	
    
    Allows programs to execute as a user that does not have Administrator or Power User user rights. Software can access resources accessible by normal users.
    
    SAFER_LEVELID_UNTRUSTED
    0x01000
    	
    
    Allows programs to execute with access only to resources granted to open well-known groups, blocking access to Administrator and Power User privileges and personally granted rights.
    Sul.
     
  16. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    YES!

    I learned something today. And guess what? I am going to apply it right now!

    Actually this opens a brand new area of security where one can really grants different access levels to applications.

    Just one question: How to set it up in the SRP keys?
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Setting the Levels key to 0x00030000 adds part of it. I am out of time, but will dig out the value so you get all the options. I have it somewhere.

    Sul.
     
  18. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Ok I got it
     
  19. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    I am disapointed by these hidden settings as most internet facing applications have no chance to even run under untrusted or constrained level. I guess you can use it when under admin.
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, they must have uses, but when I looked into them I really did not see the need. It is interesting that on msdn there are some references to SRP creating a 'sandbox' effect.

    Sul.
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I use on XP Pro only full access, no execute allowed and normal (basic) user.

    Problable reason I forgot how to set others up, thanks Sully for posting
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If you make the SAFER\CodeIdentifiers\Levels = hex 0x00031000 then start secpol or gpedit, you will see all levels you can use listed.

    Note that constrained = Restricted in the snap-in list.

    Now for some notes about constrained
    # HKCU is read-only
    # %USERPROFILE% is inaccessible
    # Some crypto operations including SSL negotiation do not work

    This lends itself to running IE in constrained mode with more lockdown than a user mode. Imagine that even HKCU and user profile are read only. Maybe not a feature rich browser, but certainly not much can happen lol.

    The untrusted level is even below that, whatever that might be. Maybe like a guest account? Or maybe constrained is more like a guest account. Either way, not much runs in untrusted.

    Having read further into the PoC exploit with SRP, I have no feelings at all that it will ever be an issue on my machine. Folks who have perhaps a default install and do things according to how MS would have it setup, perhaps they might stand a remote chance some day. For me and my setup, SRP will easily and safely reduce the possible threat vectors with flying colors. And should it ever actually happen, I will have to imagine that no matter what I have on my system it will not stop it. There is just too much I have changed from normal to tweaked for it to be otherwise.

    Sul.
     
  23. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Yes, should Chrome fail, you would benefit from one of these applications countering a drive-by download attack that drops an executable into user-space that might steal information, launch a code injection attack, or possibly attempt a privilege escalation attack. Also, if Chrome should fail, they would protect the Run and RunOnce HKCU keys, preventing a persistent presence.

    Cheers,

    Eirik
     
  24. runoades

    runoades Guest

    Um..What is KAFU? :oops:
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
Loading...
Thread Status:
Not open for further replies.