HIPS verses Anti-Executable

Tools|Folder Options|View

This is Win2K but it is the same with WinXP:

Check: Show Hidden files and folders
Uncheck: Hide file extensions
​

Here is one of my external Hard Drives where I've set several files/folders with the Hidden Attribute, and Windows configured not to show hidden files/folders. An alert user might notice "plus 6 hidden" indicated in the Status Bar:

​

Configuring to show hidden files and folders, we see the presence of an autorun.inf file and an executable file. They are shown in light gray indicating they have the Hidden attribute set:

​

This was the trick that the Conficker worm used, and has been noticed with other USB infector exploits. If your drive became infected while you were copying files from another computer, you wouldn't know if your computer didn't show hidden files/folders.

I suppose you wouldn't know unless you scanned each file. And then, you would have to trust the scanner(s).

----
rich

 

This refers to disabling the script engines and the command prompt.

In my post #48 above, I did give Registry files for toggling the Enable/Disable of the script engines. The same can be done for the command prompt if so desired. Completely disabling/crippling these Windows functions is rather drastic, in my view, and should be carefully considered before doing so. That is why I wouldn't make such a blanket recommendation.

There are many approaches to the security problems discussed here. Before applying every "fix" that people come up with, one should evaluate the potential vulnerabilities and then decide what is appropriate for you!

Everyone should read/re-read Peter2150's post #78 above for a good approach to this.

----
rich

 

Yep, easier, and runs things in a secure environment, freezing what's outside that environment - like UAC. (Things still work outside, but changes are seen once you're in the usual environment again - music, installations, etc. don't stop. )

 

Alright thanks for this Rmus.

 

If your internet is through a cable company,your already on a network,along with other customers.

 

So I think. Sometimes I use in addition also Returnil, so I surf in the WEB a session virtualized, sandboxed, and anyway protected by the HIPS.

 

I agree that you can't get 100% But at the same time what are the chances of malware Busting thru Malware defender and Deep Freeze or Busting thru a Sandboxie and Malware Defender Combo?? Is there such malware in Existence?? If you Deny the Malware from Running in the first place is it even Possible??


I would say from most of our setups here we would be 99.999 percent secure.
LOL there is more chance of me winning lotto than getting infected.

there is very little difference between 100 percent and 99.999 percent, so I personally don't have a problem with people saying 100 percent.

 

I am curious, do you consider DropMyRights a fully baked solution for a specific executable when in Admin mode?

Sul.

 

good idea

 

I'd guess it uses the same restrictions as say LUA, so at least it would be a great idea. Personally I consider using, or at least setting up LUA, is even easier and then I know that everything is running with/has limited rights, unless I decide otherwise by myself.

 

True, having default-deny would then not have to rely on memory to be sure X program is protected. lol, with the way my memory is at times it might be a good thing.

But my point was the comment of using SRP in Admin to be half-baked, is this same thought held about using DMR albeit for a specific application instead of system wide. The reason - DMR and SRP (utilizing Basic User aka restricted) are functionally identical. So I was wondering if DMR could be considered 'acceptable' why the downplay of using SRP in admin which achieves the exact same benefit plus makes it 'run safer' all the time without a special shortcut, without using another executable to do it and can be told to do it based on a wildcard path. It is already built into XP/Vista/7 to look to the registry when creating a process, so it is posing no performance hit because the OS will look there regardless of whether you use it or not. I love that part BTW.

Sul.

 

I suppose if you're running as admin it's a good idea. I only log into my admin account to run Windows update or install hardware, so I haven't given much thought to it.

I find LUA to be easier, everything is limited unless you decide to run it as admin. I have no real-time security apps running and never get malware, so at least for me, it does work.

 

Here is a document file exploit that didn't require a macro to run:

Malicious RTF Document in Targeted Email Exploit
https://www.wilderssecurity.com/showthread.php?t=244726

By using RTF instead of DOC, the exploit will run on whatever application is associated with RTF, including Wordpad.

Pete tested this with Sandbox and the exploit failed. The reason I knew he would be interested in this is because it deals with email attachments. Normally, home users are advised not to open attachments from unknown sources. In Pete's case, he has office workers (who are very knowledgable about security, I'm told) who receive MSWord documents and need to open attachments. Not wanting to lock the computers down completely (as with anti-execution protection), his use of Sandbox in this case fits his needs perfectly, and is a good example of evaluating possible vulnerabilities and coming up with a solution for a particular situation.

The classic example of a media file exploit -- semingly a non-executable file -- is the Windows Metafile (WMF):

http://www.urs2.net/rsj/computing/tests/wmf_zeroday/

While the early exploits were triggered by remote code execution, malicious files began to turn up in other places and a number of image viewers would trigger the exploit when the user d-clicked to open the file.

mp3 and other media files are commonly used in social engineering exploits. Here is one:

Fake MP3 Trojan Detected On 27% Of PCs

The Koobface exploit attempts to trick the user into updating the Flash Player when clicking on a video file.

​

Tricking the user is the method, because just attempting to spoof .exe as .jpg or .mp3 will launch the particular application associated with that filetype, and an error will result:

​

Some years ago it was documented that a .jpg file can have some executable code prepended to it, which would make the file execute, but this has not been used in exploits, to my knowledge.

----
rich

 

The malicious .wmf file executed spontaneously when opened in a vulnerable image viewer.

http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Vulnerability Details
Graphics Rendering Engine Vulnerability - CVE-2005-4560:

W32/WMF!exploit
http://www.fortiguard.com/encyclopedia/virus/w32_wmf!exploit.html

NOTE: This vulnerability was patched long ago, but it demonstrates how a seemingly non-executable file can be used to exploit vulnerability in the Operating System.

----
rich

 

Here is another reference I found in my notes:

WMF Image Handling Exploit
http://antivirus.about.com/od/virusdescriptions/a/wmfexploit.htm

----
rich

 

I was just wondering what you would consider half-baked. Certainly using SRP or DMR to lower a processes privelage is not fool-proof, but it is pretty good security (lol). I was just curious.

Sul.

 

This was your original question:

You didn't specify protection other than Macro protection, otherwise I wouldn't have bothered giving you any examples.

You should have included,

and the answer would have been "No."

----
rich

 

It's just my opinion that LUA+SRP is going to be more secure than admin+SRP, assuming that one is looking for the more secure solution. Certainly using DRM is a significant improvement to not using it, but with an LUA you obviously don't need it.

I find it simpler (and safer) to have everything limited and only raise the privileges of things that absolutely require it rather than have everything running with admin privileges and lowering the rights of specific processes.

 

I think its confusing to can say configuring security software incorrectly is a case of user error.

In most discussions here user error is understood to mean that someone ran a piece of software by mistakenly or inadvertenly.

This could be for a few reasons ->
being used to clicking allow on prompts.
not reading prompts
being rushed into clicking a prompt by rogue software.
etc.

 

Going back to the original question of the OP, which is HIPS vs AE.

I haven't tried yet the AE(may try it in the future for simplicity's sake) but someone posted that the advantage of HIPS over AE, is the verification done by HIPs to prevent changed programs. A theoretical possibility but very remote is if your trusted application suddenly became 'Big Brother' or the developer of your trusted application have sold his soul to the devil, which is in our case is the 'Big Brother'(ha ha), and certainly HIPs(especially HIPS component of a firewall) would warn if something strange is happening if that program becomes too leaky. But this is only privacy risks not quite a security risk. But there is a thin line between security and privacy. Now how about the HIPS' developer selling his soul to the devil, well, that's another reason why I don't want the HIPS from phoning home and from auto-updating. The above is a very remote possibility bordering on the paranoid and the insane. So, you can disregard this possibility and have a good nigh sleep.

OT: I am a believer of check and balances so I wouldn't put my entire trust on one single application, likewise I am quite leery on HIPs with full network functionality and would rely on a small memory footprint firewall with application control capability(HIPs functionality) to guard network defenses. I even have another firewall with application control guarding that firewall. Strangely and contrary to popular beliefs, no wastage of cpu cycles nor big resource wastage nor instabilities noted or incompatibilities. I can even see the other firewall leaking some DNS___ held in check by the other.

PS: As they say, "trust no application". HIPS and application control in some firewalls can even check and control the operating systems components themselves from doing some strange behaviour. That's a definite advantage of HIPS especially if the operating system is a friend of our Big Brother. he he

 

Can Comodo Defense+ be configured to act as an anti-executable? Does it recognise all binary executables? Thanks.

 

Excellent thread