HIPS for non-admin accounts

Discussion in 'other anti-malware software' started by Seishin, Apr 27, 2007.

Thread Status:
Not open for further replies.
  1. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    Knowing that running under such accounts could be advantageous; however it won’t be long until the bad guys figure out ways to install serious malware on Windows even when users are running as non-admins.

    So question is, what HIPS is enough to protect such environment?

    I was thinking of a free option if possible.

    Thx for your input.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    First, you should define the methods that "the bad guys" use to "install malware."

    Then, decide what types of protection you need to prevent that.

    Finally, go to TopperID's links in the other thread and see which of those programs has those types of protection.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  3. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    Well, that was the maximum expression of vagueity. I would accept it over at BBR but no here at security software paradise. ;)
     
  4. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I actually thought it was a good post, since it encourages one to think. Security is not given by installing an av, HIPS, sandbox, etc.

    The best security can be gained by effectively analyzing your current weaknesses, seeing where you need to shore up your defenses, and understand what is coming (or not) after you and how to avoid it. A great way to do this is not to run unknown things on your pc and make sure they only come from reliable sources, and ensure that the checksums are correct, with a GnuPG signature for the best reliablilty. Understanding, even without any security software, and proper practices, will make you infinitely more secure than someone who is plopped in front of a pc and given all the software, but can't use it.

    To answer your question, I know that SSM free works perfectly well in non-admin mode, but that is the only one I have experience with

    Cheers,

    Alphalutra1
     
    Last edited: Apr 27, 2007
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Seishin,

    It was not meant to be vague :)

    That a bad guy install malware in non-admin account environment is vague. Under what circumstances could that happen? Or, what security barriers would have to be breeched? Are you not confident that you have adequate protection?

    You could look at all of the known exploits in the wild that have been discussed, and I don't think you will find any such malware that could have been installed in a Limited User Account. They for the most part are trojan executables, and would lack permission privileges in this type of account.

    Wouldn't the added execution protection in a HIPS product also suffice to prevent that from happening?

    Now, if your starting premise is that something may get through, and you want further detection, then what other option do you have but to keep up with every little new development in these products to catch different types of hooks, code injection, and the like, and constantly compare them. Thus, the Castlecops link.

    It's not an enviable task, because everyone will have an opinion as to what is needed, and which product does it best.

    Or, by all accounts in this forum, they are all good products. Often, the decision is one of compatibility and preference to GUI, which you can decide while you evaluate one!


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    :thumb:

    -rich
     
  7. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    I know that already, thx. However, I had to delete my non-admin account last week because I visited a crack site and they corrupted my latest FF version (my mistake as I should have accessed via Proxo+Opera...but maybe this combo would have not let me given access to that page) and mingled with Windows Explorer (I couldn't fully use it). So, in order to avoid the issue of a possible escalation of privileges from limited service account, I decided to delete it. No dramas in here but it was annoying to set up a new account again.

    It doesn't matter how much you know or plan in terms of computer security as 100% foolproof systems are impossible to create; therefore the concept of a layered approached was coined. And this is the purpose of my thread: creating a new layer as limited accounts are very vulnerable if one visit a hacker's domain.


    Thx for your recommendation.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why didn't you state that in your original post - it would have saved some of us the bother of a reply.

    regards,

    -rich
     
  9. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    Well, that wasn't very nice.

    :mad:
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, had you stated what happened, I wouldn't have bothered replying because I know nothing about FF.

    A better place to post would be the Mozilla Forum at DSLR. The fact that you got FF to bomb should get you an award, or at least rattle a few cages over there :)

    Did you analyze what happened? Did you look at the code on the page to see what triggered the exploit? This would determine what type of product would have intercepted the attack. Then, an answer to your question would be easy.

    Whenever I see that type of site show up in a list of URLs related to an exploit, first I empty the cache, because you need to see all of the pages cached. Then you can Zip them and retain them for further analysis. Example: the keygen.ru site:

    http://www.urs2.net/rsj/computing/tests/keygen/keygen-zip.gif

    Analyzing the exploit reveals that IE unpatched is the culprit, so easy solution:

    1) use another browser

    2) get Linux (hellooo Mrk)

    keygen.ru test

    So, next time: save the cached files when you go to such places.

    Actually, you've got my curiosity up. Send me the link by PM and I'd like to look at it.

    regards,

    -rich
     
  11. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    No I didn't and that was my fault because I trusted (no longer know) Firefox. As a result, I got upset and deleted the LUA (lim.user acc.).


    The infection consisted in drive-by download which corrupted Firefox (so the friggin' cybervampyres found a vulnerability in FF v. 2.0.0.3) and a download that was very slow...It was a 250 MB movie and the speed rate was ridiculous, something like 6KB/sec. So I suspected a rootkit being delivered...and I had to use task manager to terminate the download as the cancel button wouldn't work. Later on when I tried to access explorer to delete the file it froze. I couldn't open it anymore.



    I wish I could provide you that. It's deeply buried somewhere. Typical place one finds click after click looking for freebies. Bad stuff, serves me right for being so greedy and childish :gack:
     
  12. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Corrupted user profiles in Firefox is nothing new.
    Actually I hate that happen so much I always run my FF inside Sandboxie.
    Firefox is I guess ok since it is my fave browser too, but the profile corruption from use what ever is not just acceptable.
    So I do recommend you to run it inside a virtualization software.
     
  13. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    Jarmo, Rich...

    Sorry but I should have explained as well what happened to FF. Nope that exploit rendered the browser useless; that is, I couldn't open it at all...every time I clicked on it noting happened as if the firefox.exe file didn't exist...

    There is a new exploit in the wild which I would love to try with Opera. Pity I can't find the damn link again, and I tried...

    Cheers.
     
  14. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Yes, that can happen too and the only solution i know is to terminate firefox.exe from Windows Task Manager, reboot might help too. Another weaknesses of Firefox. But that did not help?

    I know some cases when users have turned their original admin account to a limited user rights one and then not all the limitations that come in a true new made user account are not really there. Some admin rights are allowed too. But again I am not one to say much more except that above comment.
     
  15. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    Nope, the whole thing was blocked even after reboot. I tried what you said. Dunno what really happened in there. When something like that happens I quickly delete the account to avoid further damage.

    So I am going to open a third LUA when I visit bad sites with PowerShadow on, and keep the second LUA for "safe" (doubt there is anything really safe anymore) surfing.

    Cheers.
     
Loading...
Thread Status:
Not open for further replies.