How do YOU stop malware for the masses?

Jeez your users/customers sound like my wet dreams fantasies.

Mine are divided into 2 groups. Friends, relatives & those too poor to remunerate. They don't care for the most part they know I'll be there to fix it.

The others disable some or all the security measures I've implemented. Don't backup their data. And the next time it happens they'll buy a new computer rather than pay me. It takes me at least 4hrs to half *** fix their computers, because until their computers are at a crawl or don't work at all, they don't care.

I really think the answer is remote maintenance & repair. Either by friends, peeps like me or the big boys who advert on tv.

 

Some other suggested solutions have been put forth, but they don't help because of the following:

They have Admin elevation at will, and this is the root problem.

 

full time in Limited accounts

 

As far as I've seen there is no generic solution for security, or rather there is a 'solution' but no one has implemented it.

 

There are a couple that detect it, I found out that Twister detects it when I tried to download it.

 

You are correct, there is a solution but no one has implemented it. Well, that is to say only a small % use it.

It is of course not having root in your normal account, at all, zippo, nada, zilch.

The problem is so many use good old windows, and have been used to such an "easy" environment, how on earth they going to impose a default non-root environment and not alienate thier user base? LOL, what a catch 22 this is, the most popular OS by far needing to be user friendly to be the most popular, yet for them to be user friendly, they need to provide root easily to thier user base. We of course know it doesn't have to be this way, and that there are plenty of exploits available so that user land only wouldn't solve everything, but still...

I love threads like this, where ideas are bouncing around. Someone is sure to get a new idea or two from this

Sul.

 

This is 100% NOT the valid reality that most users exist in. It might be for you and others, but I fix a LOT of computers with up to date AVs, of the free kind and the paid for kind. I wish there was one AV which actually did stop even 80% of "baddies", I would tell everyone to use it. But as it stands, at least from my limited demographics, an AV is not "the answer", but merely one tool to use.

Sul.

 

I think a lot of this is predicated on "the masses" remaining ignorant. IMO things don't have to be that way - people can learn, and they don't have to become experts to stay safe, any more than they have to become auto mechanics to learn how to drive safely.

That said, there's a bit of a barrier.

e.g. I've had family members ask me if I was joking when I explained phishing to them. It's not much of a leap from the old phone scam, but if you've never heard of it and never encountered it, it probably seems pretty novel.

I think this is even more the case for malware. If I were to tell a relative that a crook in another country might send him an apparently empty envelope, with a friend's return address and handwriting on it... Containing a tiny invisible robot... Which would sneak around his house at night, hide in his wallet, read his credit cards, record his PIN whenever he used an ATM, and deliver reports by phone to the thief on a nightly basis... Said relative would probably think I had cracked. But stuff like that happens on the internet fairly often.

tl;dr: Computer stuff is not intuitive, but not impossible for people to learn either. If they want to avoid getting hit by malware and/or scams, they need to learn the basics. IMO there's just no way around that, no matter what the security setup is.

 

It's not 100%, but nothing really is. But it's a start for one. It seems like the only way is a layered security system.

 

I totally forgot the 1806 trick! Good catch! By the way, if running Google Chrome the way I previously mentioned, then one other attack vector gets eliminated - driveby downloads. chrome.exe won't be able to temporarily access Temp folder, and the browser won't be able to initiate any downloads; the user will need to explicitely and temporarily apply a low integrity level to the Temp folder.

Works like a charm.

 

The kind of people you're referring to are just like some of my relatives; they used to get themselves in real problems, severely infested machines. Then I followed a different approach. Most of it, I mentioned already, but another method besides an antivirus, is to use domain blacklisting from different sources.

At the moment, these relatives are using Google Chrome's Safe Browsing, Norton ConnectSafe, AVG LinkScanner which also helps to prevent exploits, which is an additional anti-exploit barrier working side by side with Chrome's sandbox, there's also Adblock Plus, which while not a security measure, considering that according to past events driveby downloads happen through hijacked ads, it's a great addition.

On top of that, I also use another method some folks dislike - the hosts file. Based on a test by Zscaler sometime ago, these free lists do a better job than browser's built-in domain blacklisting. The hosts file is updated using different great sources, and it's a 2 minutes process or something like that. It's worth the wait, IMHO.

I do understand that it's blacklisting and it's far from being effective, but if well maintained, then each individual blacklist source will add something other lists don't have entries to block, increasing the blacklist security layer.

And, hopefully, I will reintroduce TrafficLight back in their systems in a couple weeks.

This having under consideration that I know they would never use something like Sandboxie. So, if one can't hunt with a dog, use the cat.

Regarding e-mails, they actually do not open unknown e-mails. Curious.

 

I disagree that users not running root is the solution Sully. But I think there is a generic solution possible. I think DX2 is correct - detection software is necessary for an average user.

 

This proves it's not rocket science. As I've maintained before, sounding like a broken record: download and install from known, trusted sources, and virtually all malware problems are eliminated. I guarantee it (based on personal experience). It puzzles me why anyone would continuously install something that pops up unexpectedly and with no intent to do so.

I like this approach very much, just as you taught me how to run Firefox/Waterfox at Low il I've got Waterfox running Low il with NS extension. Virtually bullet proof imho I'm also experimenting with kees' 1806 trick in the vm.

 

Chrome/Chromium renderer processes also run with an untrusted integrity level. So, by design the sandbox is already stronger.

Anyway, in one of my previous posts I also mentioned that Google Chrome has a command line switch called --host-rules, which allows control over which domains or top level domains (*.com, etc) the user can access. Firefox doesn't offer this kind of control natively, but there's a great extension called BlockSite Plus.

If anyone searches the forum for my nickname and the extensions name, you'll find out how to achieve this control. Really cool. By allowing access only to predefined top level domains, we're also blocking lots of malicious domains without having to resort to blacklists.

 

I would consider my neighbor's average users. I convinced them to stop using Frostwire; I try to stop anyone from using those kinds of things. I have had to occasionally remove malware. Every time I check their PC they seem to have some new toolbar or junk program; it's amazing how I ask if I can uninstall a program and they don't even know what it is or how it got on there. Now I am trying to convince them to get AppGuard, as it is simple to use and will stop all drive-by downloads, of course that won't stop them from installing junk.

 

NS extension allows only top level domains as well. BlockSite Plus looks intriguing, but NS has an impressive proven track record.

 

Answer: I don't for I won't be able to.

Instead, my objective nowadays is to help set things to be better. That's all.

A) Finding the root of the problem

In most instances, most users come across malware from 2 'sources':

1. Social engineering
2. Drive-by downloads

I've given up tackling the problem of social engineering...if people want to install whatever programs they want to without much thoughts or do what I call "stupid" things, then they take responsibility for their own actions.

If someone is ignorant and do not know of the dangers of the internet, I don't mind sharing with them certain info/tips to keep them 'safer' but I can't be bothered to do the same for those who simply refuse to listen.

Instead nowadays, I'm more interested in helping to reduce the likelihood of users being affected by the so-call "drive-by downloads".

B) My approach

For most part, people either refuse to learn and/or give up their convenience or liberty to do certain things they way they're used to.

As such, I realize that:

"User education" - more often than not fails in my experience.
"3rd-party security" - making them 'suitable' for others is a chore.
"Highly tweaked settings/configurations" - complicates things.

So, what do I do? I'll be honest: I give up ion the idea of making things as strong as possible. Instead, I set up a bare minimum rather than to worry over everything.

Assuming it's Vista or Win7, this is the

i) "Bare minimum" setup:

1. Install IE9, set custom security settings and use Fanboy's TPL. Install Firefox (with ABP) and/or Chrome (with ABP Beta) as well. I can't be bothered to force them to use 1 particular browser. It's their choice. Instead, regardless of which of these browsers they use, all has ad-blocking. Notice that I don't modify IL, set up fancy extensions whatsoever.
2. EMET (on Maximum security settings if possible)
3. No Java. Period.
4. UAC at high, regardless of whether they like it or not; and regardless of whether they're click-happy or not.

To reduce the likelihood of a drive-by even further, and only if they're willing to 'right-click, run as Admin' to install programs, I add these restrictions:

ii) "Slightly better" setup:

5. SRP (either through reg file method or secpol.msc) or
Applocker (path-based approach similar to MrBrian's)
6. 1806 trick (sometimes)

By using the default AAM account, they can still elevate to admin rights and do admin tasks. I only include the 1806 trick for those who can give up their liberty to install programs. (I don't even bother explaining how to 'unblock' 1806)

Only if they're willing to go the LUA way, then I add these restrictions:

iii) "LUA way" setup:

7. Set up 3 accounts
E.g. Jack is the owner of the computer

- Jack as default account (LUA)
- JackAdmin (AAM account)
- safeguyAdmin (my AAM account....password only known by me)

JackAdmin's password is known by Jack but I tell Jack 'try' not to log-in to this account; unless he needs to do admin tasks.

Only if they're willing to give up admin rights altogether, then I set up the same 3 accounts but with JackAdmin's password set by me and unknown to user.

Conclusion:

As you can see, mine is definitely not the strongest setup you'll come across but as I've told earlier on, that isn't my objective anymore.

What happens if malware still gets through?

I do any one of these:

1. re-image
2. re install
3. anti-malware cleanup
4. I leave them to deal with it. I might even say " It's time for you to learn it the hard way. "

 

safeguy is correct

 

True. Only pointing out that even with an up to date AV, a lot of people still have issues, so an AV is not THE answer.

Why would you disagree? The ability to elevate a process request to root could easily allow system compromise. User land rights might allow a keylogger and other annoyances, but not the system itself.

So let me get this straight, you would rather see root within a click away, while relying on a scanning engine to provide the security? Honestly, that boggles my mind. It really does. No reason you can't have that view of course, there is not true right way. But I find it very interesting that you would think a scanner, which is always playing "catch up" to the current exploit of the day, to be a better answer than simply making root harder to get.

Of course, we are talking hypothetical. When it comes to the masses, I fear you are quite right. I would have thought your personal opinion would have been the opposite though

@m00nbl00d
Those measures you mention, can many you know implement that themselves? Part of my goals are not to be tied down to everyone, but hopefully, one day, find a good method that they can actually implement. Like I said, when they can't even run MBAM without a half hour help desk call, I certainly would not even broach the subject of "change your DNS servers". I fear I would become the local "wacko" for even propositioning them to do such a thing

I block sites for my kids with a linux router box. It works really well. I have used things in the past like proxomitron and hosts files. My experience has been that many people actually get a little irritated when they cannot go somewhere. Funny thing really. I once knew a guy who got infected all the time. He spent a lot of money on little programs to help himself. I would routinely go to his house every week or two and clean things up. He paid me to remove a program he bought. I put a hosts file in place, the really popular one round about 1999. He could not get to some sites, so he figured out how to delete it. He just had to click on those popups, I guess because he was gullible. That is an extreme case, but I am less and less suprised any more by some peoples actions lol.

@wat0114
I have been using the 1806 trick for some time now. I even set it to work on intranet files as well as internet. I have yet to see a downloaded file try to auto-execute, but if it did, that would pop up first, giving me the opportunity to say no. I put it on my in-laws machine, and they hated it. It was on internet only, but they were almost offended I would do such a thing. It is no wonder they get infected as they click "yes" to everything. I have recieved a lot of home baked pies because of this attitude. I do like pie

I think more and more I lean towards a little speech on what to watch out for and no extra software, and definately no tweaks. I try to talk them into being a user, but it doesn't work much of the time because many just find it inconvenient because they don't understand what is going on.

I have been thinking how I can better utilize images. I try to get a lot of them to store data on external media or at the least create a partition for them. I know one gal who make her money with her pc. She is fairly savvy, knows what files/folders are, knows what the main file types are and why extensions exist. I have reinstalled her machine a good number of times, and built new machines or spruced up store bought ones over the years. She calls me with an emergency because she can't make any money as her machine is kaput. I emphasize over and over again to save your data to XYZ location and I can put an image on quickly. She never has. I always end up picking through her machine to save her stuff. She took it to a pc shop once, and they wiped it without saving stuff. She pays me well now. Sometimes I think she paid me more than she would have made in a days work.

It is all just crazy.

Sul.

 

"Keyloggers and other annoyances" are what's important these days though. And rootkits aren't necessarily needed for such things, simply because most users wouldn't recognize one if they saw it in the task manager.

 

Where does the user's data exist? What are we really out to secure here?

 

I don't imagine that the un-interested will ever really have a system that is free of problems for a prolonged time period. So, I would protect the system so a reinstall is not required, and should a reinstall become required, I would desire that thier data would be somplace other than the OS partition.

That is true. However, much of what I see is still propagated via elevation - it isn't userland any more for these.

If everything was userland only, it would be only a minor inconvenience to muck it out and start over, because the OS would not have been effected.

This line of thought is why virtualization should be employed and why it should be as common place as possible, so that the complete neophyte who knows how to surf the web and open "my documents" also understand virtualization. Save files to specific location, make sure it is "recovered" from virtualized area, delete virtualized data. Start over.

SBIE could be the answer for so many if they would only quit griping and learn a thing or two.

Sul.

 

Sully, I was trying to point out that often the primary and sometimes only objective is to secure sensitive user data. Not just against unauthorized deletion or modification (lets assume backups cover that) but especially against unauthorized transmission/release to some other party or parties. The main and sometimes only reason the OS is secured is because it will have, and control, access to the user data. Securing the OS itself is not enough though; The user data must also be protected against userland/application threats too. A very primitive standalone program doing simple file and net I/O can be enough to ruin someone's day.

 

For people like this you can't "stop" it, you can only clean it afterward. Reason being they're not inclined to use measures that could "prevent" the problems from occurring in the first place (SRP, LUA, sandboxing/virtualization, etc..). So you have to settle for reactive measures (cleaning/fixing) instead of proactive.

The problem I run into the most isn't with the people, but their kids. They'll tell me: "He'll throw a conniption fit if he can't download/click on everything he sees on the net." To which I reply: "Then I simply cannot do the job you want me to do. It ties my hands." And I tell them that they're going to continue to get infected and repeat the vicious cycle. They usually just shrug their shoulders as if to say, "well, I don't know what else to do". And just accept that it's inevitable. Because god forbid their kid tries to use something someday and it doesn't work due to some restriction... they're willing to make that trade-off.

What can you do about this? Nothing at all... keep cleaning their infected computers, re-imaging, etc... Give them a competitive AV, inbound only FW/properly configured router, ABP, and just hope for the best while expecting the worst.

 

I agree to this. When prevention and detection fails, you're left with recovery as your means.

I look at it in a different light. I think your problem is with the adults, not the kids. If adults can't go against the kids wishes and make the firm decisions for their kids (especially for a good cause), the problem lies in the adults and not the kids.

Unless it's your source of income, another thing you can do is to refuse to do the cleaning job for them or just 'play hard to get'...