How to secure Windows XP after it Xpired?

Discussion in 'other anti-malware software' started by mattdocs12345, Nov 2, 2013.

Thread Status:
Not open for further replies.
  1. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    i have 3 winxpsp3 machines all working great. my 2 main machines are set up as nis2012 with id safe, ff25 with abp, mbam on demand, sandboxie 3.76, cryptoprevent, ccleaner, vlc media player. the other machine is used as test machine. will be installing hmp.alert/cryptoguard when out of beta. currently testing ttf(time freeze). i remember blue zanetti posting a xp tweak guide for hardening xp. i'm thinking a list will be needed for xp features and services that will/should be turned off/disabled. updates, messenger, media player, etc. your thoughts please. thanks
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    True about EMET's limitations under XP, but the OP does have SRP which if set up correctly should prevent unauthorized executables form running. DLL enforcement could be utilized as well.
     
  3. SnowFlakes

    SnowFlakes Registered Member

    Joined:
    Jun 29, 2011
    Posts:
    194
    Just use ZoneAlarm free together with Avira Free then you are safe with your XP.
    that's all
     
  4. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    How about exploits with memory-only payloads?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Are there anti-rop mitigation techniques in EMET not available on XP?
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    I figure this is where NoScript for Firefox or other form of script control for Chrome is the first line of defence for the drive-by downloads, and EMET being the second line (though I understand it's weaker on XP). At least this ought to reduce the attack vector to user inflicted only?
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    You can see the difference between XP and more modern OS's in EMET's own User Guide:
    http://download.microsoft.com/downl...C-9192-444810C26F6B/EMET 4.0 User's Guide.pdf
    Obviously SRP, white-listing, NoScript, sandboxing and other such techniques will considerably lower the attack vector even with those differences. But for regular gramma users who do not or cannot manage those types of prompt-intensive approaches, solutions such as MBAE which also includes stage2 anti-payload protections without prompts are more comfortable to use.
     
  8. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    There's really nothing about EMET itself that's limited on XP... basically it's just XP's missing ASLR?

    Dropped payloads are prevented from executing by SRP and Sandboxie's Run restrictions. Payloads are preventing from loading by SRP and permissions (no Execute -- no Deny used like Windows_Security).

    MBAE can't be configured for arbitrary apps, can it, or has that changed...?

    And finally, MBAE doesn't work with Sandboxie 4, so it's a non-starter. Or has that changed?
     
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Yes. There was one program - called "Wehntrust" or something like that, IIRC - that provided a form of ASLR on XP, via a driver; but I don't know how strong it was. XP does not have ASLR built in, only DEP.

    Sandboxie, yes. SRP can be circumvented entirely in userspace, since it's not kernel based. I wouldn't really trust SRP for anything serious.

    Probably better to use Sandboxie alone, I think, if it can intercept CreateProcess() et al. SRP adds a lot of inconvenience.
     
  10. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Oh, I know, you're not telling me anything I don't know (in that post, but thanks for the threads -- interesting!). Maybe we weren't both posting much between when you joined and I "left." But now it looks like some people that didn't think Windows updates (especially kernel) were a big deal have suddenly done a 180! :eek:

    I've been saying since before I joined here that we're screwed with kernel exploits, so I'm not sure what I'm going to do after April... That's why I also think ALL "security" software is basically useless (unless preventative), since anything can possibly disable/bypass it that wants to. I only have to worry about drive-by stuff, since I've never had a concern about anything I choose to run (and now I can utilize Sandboxie if I want to check something)...

    But I also don't think that right now, with updates, XP is "less secure" is practice, even with the claims otherwise (and that it IS in theory). Not until someone shows me something that will succeed on XP but not newer versions... :) Almost always, EVERY Windows version has the same vulnerabilities, so that kinda destroys the "newer is better!" argument. (And in some cases, ONLY the newer versions have a certain vulnerability.)


    SRP adds ZERO inconvenience for me. :) I run as admin so I can do everything I want (as it should be, and why I don't want UAC), and SRP only applies to everything running with dropped rights... (Well, it's really Sandboxie now anyway, but that's how my "2-level" SRP setup works.) I need to hopefully get the dropped rights/Basic User SRP thing working with Win 7 for when I eventually move on (and for others to use if it works), so I can still run as full admin, but not for most programs. Although none of this really matters with Sandboxie, I'd just want to configure the same way as if there was no Sandboxie. :p But I digress...


    SRP bypassed in userspace by-design you mean, or in general with something more crafty? I'll have a fix for the "by-design" SRP bypass on XP/Vista (8?) soon for inside Sandboxie at least (where it prob doesn't matter, other than DLL restrictions, which I almost have covered anyway). Hopefully a general, system-wide fix though too... *shrug*


    I was telling people how useless SRP is, even patched, because in-memory only stuff/loading, etc. Yet, I still use/recommend it, because in practice that stuff hasn't really happened so far, and it's FREE (don't mean money) and has zero downside when setup like I have it. Compared to dumb, dumb, dumb "anti-executables."
     
  11. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes, correct.

    Not yet, but it will most likely change after 1.0 is released.

    Correct. Does Sandboxie work alongside EMET? If so do you have to do any special config? This is something I have on the back-burner which I want to look at more in-depth.
     
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @Dr_Larry_Pepper: sorry about the 'splaining. :p What I mean about SRP is that the basic design (blocking execution from userspace) is flawed. The would-be parent process has to check whether it should or shouldn't spawn something, based on the policy. Therefore the memory of a parent process can be modified to bypass it. See here: http://erpscan.com/press-center/universal-way-to-bypass-group-policy-by-limited-user/ I think it's not so much a deliberate limitation by design, as MS developers thinking, "Eh, userspace should be good enough."

    (Kind of like how I thought "XP without updates should be good enough" a couple months ago :p)
     
  13. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Yes, EMET works as long as Sandboxie's Start.exe doesn't start the program AFAIK (doesn't apply to my use). So if it's started by another sandboxed program (a wrapper script is enough) or as a Forced program (my case), it's fine.

    Whatever has been done to Start.exe (or the Sandboxie service does TO it) that breaks the AppCompat stuff is weird... I've asked why it can't simply run Start.exe a second time where it "somehow doesn't act that way" (since any other "normal" program creating processes is fine!), but nothing.....


    And with MBAE, that may be Sandboxie's fault too (not fixable by you without difference design?), but tzuk doesn't seem to have an interest in checking it out.
     
  14. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Yeah, that's the "crafty" way I referred to. Again, that hasn't been used that I know of, and AFAICT, there's not a general way to do that -- depending on different versions of whichever DLL, and needing to know the address of where TransparentEnabled is cached (after first CreateProcess). So hooking reg functions or such would only work before the first time (not sure what that method link is saying, didn't pay attention).

    ..... OK, it's advapi32.dll and an "initialized" flag (addr varies), which is why the referenced Russinovich method isn't reliable: Replacing Gpdisable

    When I said by-design, I mean the function flags as described on Didier Stevens' blog: here and here. That's what I'll have an XP/Vista fix for, at least in Sandboxie first (InjectDll and not as tricky as system-wide).

    The fact that it IS userspace is what allows my SRP setup to work the way it does -- programs without admin rights can't read the SRP reg entries that ALLOW everything (effectively disabling SRP otherwise). :)

    Oh, didn't realize you were one I was referring to! :oops: :p
     
  15. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    will the xp firewall continue to work after the eol(4/14)? i and my group of old retired guys, all xp users who only use our machines for email, surfing and a few purchases online. i'm their tech support and i'm trying to figure out replacement av/firewall, what services/features to disable, etc. i installed sandboxie on their machines over 1yr ago and they are doing good with it. any suggestions appreciated. thanks
     
  16. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    I got 2 XP boxes my son's Netbook and a very old desktop that rarely gets any use. My sons Netbook just uses Avast and the windows firewall. The old desktop has EAM & Online Armor.

    I know we tend to be very cautious with security on this forum. But I have couple of friends that never update anything, MS Updates, Flash, Java, Browsers and have never been compromised once. Maybe they've been lucky or maybe we are all a little too paranoid in reference to how quickly an unpatched box will get compromise on-line.

    Anyway I'm doing nothing with those boxes. Since I never use any of those 2 PC's I'm going to risk them for the fun of it. Just going to let them use them as is and I will see what happens.
     
  17. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294
    Trust me,I've been a member here for years,and it's full of "the sky is gonna fall,OMG!" security fanatics,and I'm still waiting for the big one to get me,and here I am,still waiting. ;)
     
  18. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    mine and my friends xp rigs are all working like brand new. i'm installing win 7 on my hp media center because it has 4gig ram and 250mb graphics. my other xp machine is hooked up to my hd tv and like you said i'm going to continue to run it and see what happens. if it gets trashed, i'll convert to ubuntu. but my click and go buddies machines will need help. i installed sandboxie 3.76 and firefox on their machines over a year ago and it has cut down on the calls for help. i will be installing hmp.alert on their rigs when it comes out of beta. i'm thinking we xp users would benefit if we had a check-off list to prepare us for 4/14. thanks
     
  19. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    210
    Location:
    USA
    A check list to prepare you for 4/14?? That is really not necessary if you understand the process MS goes through. When MS withdraws support for an OS vendor support for third party apps will all but be gone within a two year approximate time frame. If someone know how to protect an OS then the withdraw of MS support is less important then the disappearance of third party app support. I suspect anyone on Wilders can agree the MS is really a piece of garbage. I had long ago determined that by the time End of Life came for XP that I was going to a real OS (Linux). I am an XP die hard. Despite that the time to jump is here. By the first two weeks in December I hope to leave the Microsoft world permanently. After the Snowden revelations of this past summer I hope I am not alone.

    Cheers

     
    Last edited: Nov 25, 2013
  20. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,271
    Location:
    UK
    Am i correct in thinking patch Tuesday in april is the last time patches will be available for windows xp?

    If that is so, surely it will be may when the next patch tuesday comes around and the criminals reverse engineer the vista upwards patches that is really the deadline?

    am i correct with this thought process?

    Martin
     
  21. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    67,838
    Location:
    U.S.A.
    Martin, you are correct. See Windows XP SP3 and Office 2003 Support Ends April 8th, 2014. April 8th is the second Tuesday of the month.
     
  22. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,271
    Location:
    UK
    Thanks for the clarification
     
  23. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    These bona fide crooks with such resources at their fingertips would also not be targeting some average Joe more than likely. I don't buy that XP will be heavily targeted after it's EOL, as most people will have moved on by then, they're just milking it to the very end. As has always been the case the most used/newest OS's will be targeted. And at that even, still some average user is of no interest to be targeted by anyone capable of such proficiency.

    Looking at any 1 security solution to help XP past it's EOL in a vacuum, you can find flaws. Like you pointed some out with SSM. But what if this person using SSM also uses SBIE, runs as LUA, etc, etc...? It's when you put them all together... and keep in mind that for an exploit to attack this weak kernel the user probably has to be doing something stupid/risky in the first place. Which to most users in here disqualifies us from the bat.

    That said I'm still not playing with fire. I'm making the change to Win7, or maybe Whonix which I'm looking at now, before the April '14 patch Tue. As I don't feel they'll care too much about what they roll out that day.
     
  24. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,232
    Location:
    USA
    Imho Win7 is the best solution as long as you can find Win7-compatible drivers for legacy devices. If not, there's always Linux. ;)

    Cruise
     
  25. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    67,838
    Location:
    U.S.A.
    Martin, you're welcome! Take care.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.