Is sandboxing and restricting eMule, uTorrent and other p2p apps with HIPS enough?

Discussion in 'other anti-malware software' started by Swordfish_, Sep 17, 2008.

Thread Status:
Not open for further replies.
  1. Swordfish_

    Swordfish_ Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    63
    Hello,
    some questions about peer2peer applications sparked a bit of controversy in my mind lately. I do not use them on a daily basis, however, on the other hand, I can't ultimately say goodbye to them and.
    So, I wonder, what about such a scenario - let leave protocol vulnerability and the possibility of downloading an infected content aside (because I have a special approach to stuff downloaded from p2p - scanning with on-demand A2, SAS, MBAM etc. etc. and running most of the stuff on RVS protected with CPF's Defense+ set at "paranoid mode"):
    - an p2p app has some vulnerabilities, holes or maybe even some compromised/on-purpose devised code, which could lead to breach in security of the entire system...
    ... and assuming that one of the above statements is true, would:

    - SandboxIE'ing it (with only allowing direct access to the specified download folders)
    - running a HIPS (in my case CPF with D+) that will restrict the p2p apps privileges to minimum (btw. anyone knows what is KeyMouseCount.dll used for - it's in my Program Files/Samurize folder and why does uTorrent, the newest version install hook on this DLL? Is this normal or not?)

    ... be enough to secure activity of p2p apps?


    btw. are uTorrent and eMule considered (in the light of the fact that the first is not open-source) safe or not?

    Best Regards :)
     
  2. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I don't really understand the scenario you are proposing so I will answer generally. An infection from a p2p client can occur in two ways. 1) You download malware or 2) There is a vulnerability in the client that allows remote code execution.

    You mentioned that we need not worry about scenario 1 so I will concentrate on scenario 2. In this case, running the p2p client in sandboxie with restricited permissions will provide a layer of protection. You may have your share folder wipped out but otherwise it should be fine.

    Regarding whether a program is open source or not has a bearing on security, hard to say as empricial evidence doesnt show a clear winner.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Vulnerabilities are possible with any software. As for being deliberately compromised, this has happened as well. Certain groups allied with the anti-piracy watchdogs have taken down some of the P2P apps and replaced them with their own. Shareaza V4 is one example. Imesh7 and BearShare7 are 2 more aps now under the control of the entertainment industry. The true Shareaza is still being maintained, but the shareaza dot com site is not under their control (hostile takeover). There's no telling what these rogue P2P apps may do or install, now or in future versions.

    Any software that handles unknown or untrusted content should be as contained as possible. I use SSM to limit Shareaza's activities/access to only what it needs to run.

    The open source issue does affect P2P apps. At different times, some of them came bundled with all kinds of adware/spyware. Kazaa used to be the source of some of the worst infections I've ever cleaned, not so much the severity of the malware but the quantity of it. The Open Source versions aren't normally bundled with such garbage, as long as the user gets it from the original site. I haven't checked which ones are safe in a long time. Don't know about eMule. Haven't seen any problems with uTorrent or Shareaza (not V4).
     
  4. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    501
    Like the posters above me well explained it's not the downloading -uploading,proces that you should worry,it's the content that arrives on your HD and you open.Running utorrent sandboxed will in theory make it more secure but personally i would be more worried about any other windows program for vulnerabilities. office,foxit pdf,yahoo IM-i run these (as forced folders,programs) sandboxed,and leave utorrent alone.
    I have utorrent and strong dc as p2p apps on my hdd i don't know about emule or others.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Swordfish,

    The best approach would be a sandbox which remembers the 'sandboxed/untrusted' state of the downloaded files.

    So when you are able to run all your P2P programs sandboxed (and keeping the files in the sandbox) you are okay, because the malware is chained in the sandbox environment.

    So in this case the choice would be Sandboxie/DefenseWall, second would be SafeSpace/GeSWall. SBIE is still actively developed (SafeSpace is abondenned). DefenseWall has a more active development than GeSWall, plus DW has total untrusted file control (GW changes status from untrusted to trused when you move a file to another partition).

    As a addiitional precaution I always mark the shared directories as untrusted (inboth DW and GW, have not used SBIE for a long time).

    Regards Kees
     
  6. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I agree Kees, having DW only monitoring the SandBoxie folder gives you a full control over the recovered files from SB. The only weak link in the chain that remains is when it finally comes to the installation part.

    /C.
     
  7. Swordfish_

    Swordfish_ Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    63
    Hello,
    first things first - thank you very much for your replies.

    @huangker - yes, the thing that makes me worried the most is actual vulnerability/on-purpose devised malicious code in the p2p client (my sincere apologies if this was unclear). Quite possibly, downloading malware is more common threat than holes in the p2p client, however I'd simply like to focus just on the client-side securing od p2p network and think about what can I do with the downloaded stuff later. (btw. it's quite obvious that most malicious code can be found in warez, keygens etc., but I assume one thing - most legitimate scene groups would never ever put malicious code in their releases, it's more about what happens with those releases later, they are often tampered with some strange stuff.)

    @noone_particular - good point about these watchdogs and the issue with open-source apps being loaded with some garbage.

    @virtumonde - you talk about sandboxing more every-day applications. Maybe this is an idea. But one question arises: where is the line between having enough security and still retaining real-world performance. As they say: "The proof of the pudding is in the eating", so I just wonder what _practical_ difference (in terms of: security, stability, speed and, last but not least, convenience) would it make if I'd sandboxed apps like Acrobat Reader, IM, Office or and other frequently used app. Interesting matter, maybe a little beyond the scope of the discussion here, but still worth considering.
    @Kees - You are right, the ability to remember the state of downloaded files (as well as configuration status of a program that I run sandboxed) is important here.
    Other thing, I get the idea of having possible malicious files chained in the sandbox environment, however the thing that worries me most is not the actual downloaded stuff, but the malicious actions that p2p could make. Does sandboxie protects from direct disk access? (yes I do have a HIPS that monitors this aspect of apps activity, but I'm just asking out of pure curiosity) Should I allow p2p app to directly access download folders? (i have them on second physical HDD and C: is usually protected with Returnil RVS)

    @Cerxes - well, aside the possible client vulnerability this will always be the weakest part...

    Once again, thank you & Best Regards,
    Swordfish
     
Loading...
Thread Status:
Not open for further replies.