[Google Chrome] 99% interesting extension

Discussion in 'other software & services' started by m00nbl00d, Dec 11, 2012.

Thread Status:
Not open for further replies.
  1. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    At this point, i highly doubt any reputable AV will detect Windows files as malicious (with default configs). Such events were extremely rare in the past. Personally, I never faced such issue and I've been using AVs since forever. MSE is overall nice but its detection rates aren't very good and it can't be password-protected. At best, you can restrict its options to "only admin account can modify".
     
  2. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Because why hope Norton can detect something when Sandboxie or a similar program can just delete it? By the way, I think in our efforts to help, we're overlooking the fact that, going by the description we were given of what this mother does, there's really nothing out there that's going to prevent the kind of trouble she willingly is inviting.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Rare or not, when they happen, they're messy. :ouch:

    Anyway, until this extension improves (I hope it does.), there's another approach -the m00nbl00d approach :D - users of Chromium/Chrome/Firefox can do. I suppose Opera as well, but I never tried this approach with it, so not sure about possible issues. Only works for Vista+.

    Chromium/Chrome

    1.) Apply an explicit low integrity level to the browsers process and to the browsers profile (so that the browser can create its data).

    2.) Deny execution in the browser's profile folder (because it will have a low integrity level as well).

    3.) Have two downloads folders. Deny execution in both. Apply a low integrity level to just one of them.

    4.) Make your browser downloads location point to the Downloads folder with the default permissions, that is with a medium integrity level (if running as standard user/protected admin). Deselect the option to ask where to save files.

    Downloads will fail.

    For firefox, will suffice to apply a low integrity level to the browser process and to the profile folders. Firefox still interacts with the Temp folder, which runs at Medium integrity level. That should stop drive by downloads as well. You'd need to apply a low integrity level to Temp folder to download files.

    There's always more than one approach to achieve something. :D

    -edit-

    With Chromium/Chrome, when need to download something, right-click the file and choose to save as... it should work fine.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Most people need the measure of security an AV provides because they don't know enough to rely on other methods.

    However, as m00nbl00d notes, an AV doesn't mean much to many. In fact, I would say that I have fixed more computers with AV than without. Thats probably due to user knowledge, but some of it is due to some users wanting to play with restrictions like firewalls with HIPS etc.

    IMO if grandma refuses to adapt to how to properly use a computer, then if she wants to be free of problems, she needs someone to administrate her computer. And that means taking away rights, erm, freedoms ;)

    Sul.
     
  5. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I think if you're under Chrome, you'll pretty much avoid the fear of drive-bys anyway, which seems to be what you're protecting against with your suggestions, M00n. If something malicious is downloaded by your own hand, browser protections aren't going to do anything.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    No drive-by downloads. I actually want to stop legitimate web sites such as Softpedia, which I use to get direct download links, from automatically redirecting me to the official website download links. Sometimes I forget to click X to stop the browser loading all of Softpedia's website (which does prevent the downloads). :D
     
  7. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Ahh, I see :)
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I find AVs to be overly complicated. Setting up Chrome with EMET is much simpler.
     
  9. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    That won't protect the grandma from downloading, installing and running malicious software masked as something else.

    A fully automatic and password-protected security suite or AV will, and she won't even see it in action.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    That would be nice. Unfortunately for grandma I've never seen a silent security suite.

    I'd rather just use MSE.
     
  11. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    A totally silent security suite is 100% possible as long as you tweak some easy settings. I recommend Webroot SecureAnywhere OR Norton 360. Did you ever dig the settings of any reputable security suite? ... You can even remotely configure them (configure them from another PC).

    As for MSE - as I already said, its detection rates aren't very good and it can't be password-protected. At best, you can restrict its options to "only admin account can modify".
     
    Last edited: Dec 12, 2012
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I used Emsisoft AM on my mother's computer because she's not a safe browser/ likes to stream TV shows and when she was on XP she'd gotten a virus on more than one occasion. It annoyed her, so I just removed it and put MSE back, set up EMET and Chrome, and that's been enough.

    I don't pay for security software so neither of those mentioned would work. I also don't like security suites as I feel the increased complexity and all of those extra features hooking into so much of the system is just attack surface waiting to be exploited. The Sophail report was a good example of this - why attack Chrome when you can attack the antivirus? You completely get around the sandbox because the AV includes a web shield that scans emails, and it handles it horribly. Mcafee would inject non-ASLR libraries into the browser. Norton toolbar wasn't ASLR enabled for ages until Firefox forced it to be.

    I'd much rather have an AV that sits back and lets the browser handle browser security.
     
  13. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Vulnerabilities of mainstream security suites are found and fixed very fast. They are constantly hardening and reviewing the code. As for real attacks from complex exploits targeting 0-day vulns of security suites. Can you point to one mainstream attack of that sort? They aren't cheap or easy to make. They are rare and almost always only used on targeted attacks. Even mainstream attacks targeting old vulnerabilities usually only succeed on very outdated systems running very outdated versions of common software. On the other side, malicious software masked as something else, are downloaded and executed all the time. And if grandma lacks the proper skills of distinguishing what's good from what's bad, she will fail to them. That's why a really good silent AV or security suite is important for her. It can eliminate what's bad and maintain what's good automatically. A password-protected one is even better - that way, grandma can't be fooled by social engineering into disabling the security.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    This is simply not true. Sophail was a really great example of this, you should look it up. Outside of that, again, we saw this with Mcafee defeating ASLR, Norton, and various other security companies all pushing out insecure software.

    I haven't checked in a while but a lot of security suites came with ASLR disabled on numerous .dlls if not the entire program.

    I don't think there's one attack in the wild against AV software - not that I know of. But it's absolutely not expensive or difficult in many cases, again, read the Sophail reports (v1/v2). In many cases AV makes targets more susceptible to attack either by providing incredibly dangerous attack surface or by interfering with security that's already present.

    Actually there's no consensus on the main vector of infection. Famously, Microsoft released a massive report showing how malware was almost always installed due to user interaction and within days Google released a massive report showing how malware was almost always installed due to exploitation. And various other companies have shown varying results. I've personally encountered more infected machines caused by exploit than by social engineering, but that's my limited pool of maybe a few hundred systems.

    We see 0days for Reader and Java still, consistently. Often when a vulnerability is patched it isn't long before it's being exploited by some exploit kit.

    I agree. And as Grandma is only human, I would never expect her to make such decisions. That's why I'd leave MSE.

    A suite can either be effective or it can be silent, rarely both. In av-tests and av-comparitives (among others) tests it's clear to see a correlation between 0day protection and performance/ false positive rate. AVs try to mitigate this in a few ways, either pop ups to ask for user decisions (useless) or a range of protections to spread out the protection (ie: instead of strict heuristics for file analysis use softer heuristics across web browsing and file analysis). In my experience it doesn't help much.

    I don't see a password as helping. Grandma's gonna be pissed when her legitimate file won't open - she'll either uninstall it/ get someone else to uninstall it/ look up how to uninstall it, or call me 100x a week telling me to fix it. Locking someone out of their machine usually doesn't lead to security unless you can really enforce it (ie: enterprise settings).

    Real world? An AV suite will be a bit annoying and provide half decent security against threats out there. From a standpoint that assesses all attack vectors, in my opinion, they just make things worse.
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada

    Nice approach, at least for a Grandmother. I agree with this 100% :thumb: No need at all for a security suite that for its monetary costs and system stability impact is not worth it when free options are available that will work even more effectively than the dreaded suite.
     
  16. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    You really haven't checked in a while. Since they started dropping support to Windows 2000, they made large advances in that area.

    More susceptible to some few expensive and rare theoretical attacks but totally less susceptible to most real world attacks.

    Social engineering plays a much bigger and dangerous role. If the sensible commonly exploited software (MS Windows and Office, Adobe Reader and Flash, Sun Java and the browser) is kept patched (just leave their default update settings alone and they will be kept patched nowadays - we are in 2012, not 2005), vulnerabilities aren't exploited.

    Microsoft blocks the vulnerable plug-in versions as well with the active-x killbit update usually before the thing starts getting exploited in the wild. Just leave the freaking default-ON update settings alone.

    I don't agree. Check Norton for example (latest report):

    http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1[report_no]=123662

    No false positives at all and still excellent protection against 0-day malware attacks, widespread malware, etc (much better than the industry average which isn't bad too).

    Grandma won't notice it if you tweak some easy settings to make it password-protected and truly silent.
     
    Last edited: Dec 12, 2012
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    It was probably less than a year ago.

    Again, the attacks aren't expensive. https://lock.cmpxchg8b.com/sophailv2.pdf
    There are metaploit tools to create ROP chains from arbitrary targets, an AV injecting static libraries into a program would not lead to a "costly" attack - it would make attacks much cheaper.

    Yes, they're not "real world" but they are practical.

    Again, you can state that social engineering plays a larger role but there's significant research that disagrees, there are people on both sides. The fact is that exploit kits exist, exploit pages exist, and they do infect systems. Unfortunately the Java updater is awful as is their patching. Beyond that, 0-day exploits happen - even against secure and up to date programs like Adobe Reader, a program that uses a sandbox.

    Norton uses some cloud reputation heuristics. I'd be curious to know whether a popup of "this file is unknown" leads to a 'protected' score or a 'false positive'. Their testing methods are unclear - for example, they state they're using their own software to test and not 'in the wild' malware. Unfortunately av-comparatives doesn't seem to test Norton.

    There is a higher performance hit than MSE (MSE scored a 5 iirc, Norton a 10, this is likely due to them running heuristic analysis longer). I'm too lazy to check Norton for non-ASLR components, but given their (recent) history, I'd be surprised if all of them were ASLR enabled.

    You can look at the other results and generally see the trend between FP/Performance hit and detection. This is clearer on av-comparatives website where the reports are more detailed.

    Which isn't even to go into generic issues with AV.
     
    Last edited: Dec 12, 2012
  18. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Show us recent or in the wild examples.

    I don't want to play the game of "more important" or "less important". Protection from social engineering related malware is important and security suites protect from them better - that's enough.

    As for exploits and vulns. In the wild 0-days exploits are rare. Usually, you start to see vulnerabilities being exploited about a month after they get patched. And, in the case of attacks targeting a zero-day vulnerability of some popular software: some modern security suites try to monitor and block the 0-days vulns before the patches are installed - just like they monitor and block exploits of vulns of outdated software. Take a look at the protection from vulnerabilities offered by the Intrusion Prevention module of Norton, for example. Others like Kaspersky also partnered with Secunia to offer an integrated solution on their suites that automatically download and install patches for out-dated software in the background. How are they performing in this area? Well, from a recent NSS Labs study, one can see that some of the tested ones aren't doing that bad. But there is much room for improvements.

    https://www.nsslabs.com/reports/consumer-avepp-comparative-analysis-exploit-protection

    "Recommendations
    - Always enable and allow automatic updating of the operating system.
    - Consumers should patch software as soon as possible rather than relying on endpoint security.
    - Java should be completely removed if it is not required.
    - Use the Secunia Personal Software Inspector to help keep track of applications that have patches and updates available.
    - Upgrade or replace underperforming security products."

    Upgrade or replace underperforming security products... MSE scored very bad here as well.

    Symantec isn't participating on av-comparatives tests this year, but last year they ranked very well on those aspects you mentioned.
     
    Last edited: Dec 12, 2012
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Symantec had 57 FPs with a variety of prevalance. Microsoft had 1 FP with the lowest prevalance.

    Like I said, there's almost always a correlation between 0day protection and performance/FP rate.

    MSE never handles updates for programs AFAIK.

    From the NSS report - it seems like they're doing fairly poorly here.
    As for the Norton prevention, it's actually IDS, not IPS. Meaning they can only protect against what has already been released/ seen. That's still great, and kudos to them, but it's an important difference.

    What I'm pointing out is this:
    1) Complexity of a program leads to more attack surface and the value of the attack surface increases. Security programs can get quite complex and given that they run with such high rights it's more important than any other program on the system that they be configured securely.

    2) Many security products I've seen don't make use of basic security techniques. (I'm going to test this soon with a tool I was recently made aware of and I'll report the results).

    3) False positives significantly degrade security. Programs with high detection rates for 0day malware typically have high false positive rates - av-comparatives.com tests show this with Norton, I'm too lazy to go through all of the products results. This is just how heuristics work, you can make it take longer and you can make it more sensitive.
     
  20. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Weird. Av-tests.org reported 0 FPs. Improvements?

    Yes and that's one less point for it because Microsoft Update is too limited in its scope. One needs to install Secunia PSI for grandma to help it.

    Yes, as a group. The top performers aren't.

    It's actually IPS:

    http://community.norton.com/t5/Nort...em-IPS-Your-first-line-of-defense/ba-p/124400
    ...
    How does the Norton IPS engine work?

    Applications that interact over the Internet can have vulnerabilities. Generally, vendors release patches to address these vulnerabilities as they are discovered. Unfortunately, for various reasons, millions of users don’t run fully patched system, and when they download or stream a document, media file or simple HTML page on an un-patched system, they can be compromised. These exploits, when successful, can also cause (even more) malware to be downloaded, making the problem worse.

    The Norton IPS engine patches holes in these vulnerable systems by scanning network traffic for patterns that exploit vulnerabilities. One IPS signature for a particular vulnerability can protect against many variants of exploits and so they are very scalable in their defense.

    Norton users running IPS get definition updates with new signature content on a regular basis.

    If I run a fully patched system, do I need IPS?

    Yes. Vendors typically take anywhere from a few days to a few weeks to release patches for new vulnerabilities in their products. Not all products have an auto-update feature to download new patches as soon as they are available. In some cases, updating to a new patch/version causes incompatibility with other software on the system and prevents users from updating. Practically speaking, there is almost always a window of time when even the most advanced or savvy users are running a system without fully patched software.

    The IPS engine from Norton can protect users during these “windows of opportunity” for the bad guys. Symantec’s Technology and Response team works 24/7 and can quickly release updates to Norton products to “virtually patch” critical vulnerabilities.
    ...

    Norton used to have very few FPs and very high detection rates in av-comparatives ( recent past). I think something weird may have happened. Av-test.org reported 0 FPs in its latest tests conducted during the last months.
     
    Last edited: Dec 12, 2012
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    av-test doesn't use real samples, it uses ones that it designs. I'm more inclined to believe av-comparatives.

    The original link:
    https://www.symantec.com/security_response/attacksignatures/
    That's IDS. It says so.

    What you've just linked is apparently different.

    Or maybe not?

    That sounds a lot like detection to me. The only difference is that it's heuristic based and network based... I don't know why they call it IPS. As in it can detect variations on what it knows, but it still can't do anything for new attacks, 0day attacks.

    I suspect it's just detecting variations of payloads at a network level, either first or second stage.

    http://www.av-comparatives.org/images/docs/avc_fps_200908_en.pdf
    http://www.av-comparatives.org/images/docs/avc_fps_201008_en.pdf
    http://www.av-comparatives.org/images/docs/avc_fps_201002_en.pdf

    Decent results outside of the most recent test, where it has the second highest rate. But definitely short of "0".

    AVs just rely on what they know. They rarely take preventative measure; implementing a policy that will prevent an attack, implementing generic detection of attacks without signatures. When they do it's often a flop (some of the "mitigation techniques" implemented by AV companies have been really awful), but they don't do it often.

    The more complex the more attack surface. The better the 0day detection the worse the false positive and performance results.

    These are tradeoffs that are consistent. So it's simple to see why a user would go for an antivirus like MSE and then choose to supplement their security with a program like EMET, Chrome, etc, which take proactive preventative measures (sandboxing, mitigation techniques) without introducing significant attack surface.
     
  22. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    I'm not sure that should be a mark against MSE/Defender/whatever. Identifying malware and updating software are two fundamentally different functions. Newer versions aren't always more secure and/or desirable. Something that is (automatically) updating your software is, itself, a security threat.
     
  23. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    What if grandma decides to use Firefox or IE? Will you restrict what software can be installed, removed or executed? Will you also hide and uninstall IE?

    With a silent and password-protected security suite like Norton 360, grandma is good to go. Doesn't matter if she is going to use Firefox, IE, Chrome or whatever. Doesn't matter if EMET or whatever is properly configured for whatever she is using at the moment.

    The beauty of the security suite is that it automatically deals with the largest possible number of real-world scenarios.

    I think the trade-offs are minimum inconveniences. Overtime, FPs rates tend to get smaller (the more users, the more reports, the less FPs). As for the attack surface of AVs, I'm OK with it as long as the security companies are fast at patching when vulns are discovered or exploited. And they not only need to be fast at it, they need to be the fastest at it, because security is their focus after all.
     
  24. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Secunia PSI isn't like SUMO. It only updates software to the latest version when the latest version introduces security fixes that indeed correct the vulnerabilities listed on the Secunia vulnerability database.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I think people typically stay with what's installed, but regardless, if a user wants to use Firefox EMET is enough to secure against common attacks against it/Flash.

    IE9/10 are plenty secure, I'd be fine with a user moving to one of them, though I'd still use EMET. And I don't bother trying to secure XP machines because as far as I'm concerned it's hopeless.

    Per your own posts it's been stated that suites need setup. It's hardly objective but I find setting up EMET to be trivial, you import an .XML file and that's it, it's configured. In terms of protection against 0day attacks I'd take prevention over detection any day.

    A security suite does not automatically deal with the largest possible scenarios. It relies constantly on updates because virtually no part of a security suite is truly proactive, is truly protecting against unknown malware. What's called 'unknown' is almost always variations of what's been seen, which is why AV has any chance at all to detect it.

    If anything we've seen FPs increase with time based on the limited scope of this topic through av-comparatives. Users may continue to report but heuristics have to constantly change to keep up with new samples, and malware authors strive to make their software look legitimate.

    If you read the sophail v2 report you'll see that patching was not quick at all and some of those vulnerabilities are still unpatched.

    Outside of patching entirely is proper implementation of security mitigation techniques, which remove entire classes of bugs. I'm going to be looking at AV software for these features soon, I'm in the process of setting up a VM now.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.