Most Effective Way Of Blocking Drive By Downloads

Hi

What is the most effective way of blocking drive by downloads. I use win XP SP3 Comodo PF + Defence+ Avast Home Sandboxie.

Can any of these be set up to block DBDs , if so how?

Thanks

Terry

 

Block program creation/execution of TEMP directory with D+

Sandbox IE Temp directory (but that is done by default)

 

Hi Kees1958


Thanks for your comment. Can I sqeeze you for a little more information.

How do you setup D+ to block program creation/execution of temp directory?

I am not as technically proficient as you.

Thanks

Terry

 

Good question. What about GeSWall? ThreatFire? SpyBot? Do these programs block drive by downloads?

 

and what about OA Run Safer?

Ice

 

IceCube1010]

OA Free v3
Avast Free
MBAM (on-demand)
(this is it, I'm not changing, I promise)
Reply With Quote

You did change. First it was TrendMicro, then just a few weeks ago, if not sooner, it was Comodo Internet Security Suite (CIS), now it s OA free and Avast. You promised that you are not going to change.

Well I understand you. I've been changing my security apparatus often, but now I'm using Comodo Firewall Pro, McAfee VirusScan Enterprise 8.7i (with Anti-Spyware module and Artemis Technology) and Norton Anti-Bot. That is it, I'm not changing.

Peace.

 

I don't know about TrendMicro, but yes, I had CIS by itself and its a very good product. Then I tried CIS without the AV and used Antivir Free but I was getting an error with avguard.exe on shutdown. Now I'm trying OA free with Avast and really like this setup.

I was waiting for someone to say something, your very observant!

Ice

 

@ Jaki & IceCube -- Please stay on topic. This thread is NOT a discussion of "your security set-up". There is a separate thread for that sort of discussion.

 

Yes do not drive buy Lowered rights,sandboxie has my vote.Geswall can help in this area as well IMO.

 

does the option in OA to "run safer" put the program in a sandbox like sandboxie or does it just lower its privileges?

 

It lowers its privileges

 

ok thx, i guess i shall be keep using my sandboxie then.

 

just use returnil

 

i would but i dont like the idea behind returnil, it just doesnt suite my needs as well as sandboxie does.

 

sorry, your right.

Ice

 

Actually, Geswall when I was using it, did come up with a red reject window on some un-savory sites. I'm using CIS now with the Firewall and D+ in Safe mode and CAVS. I'm hoping it will stop these types of attacks.

Ice

 

If, by Drive-by Download, you mean trojan executables attempting to sneak in, then, at last look a few weeks ago, I counted 13 solutions, most mentioned in this forum.

This topic came up earlier this year and I enlisted the help of several others to test various solutions against the drive-by attack. Note I used the term, "solutions," and not products, because Software Restriction Policies prevents this type of attack, and is not a separate product.

http://www.urs2.net/rsj/computing/tests/remote

The sensational media articles about dangerous exploits often instill fear. But, if the payload is a trojan executable file -- as most are-- then any solution that includes execution protection will prevent the exploit from carrying out the payload.

A good example was the WMF (Windows Media File) exploit from late 2005. While many were frantically trying out 3rd party patches while awaiting the Microsoft patch, those with proper protection were not vulnerable, because the payload was a trojan executable file. Proper protection didn't block the downloading of the .wmf file, rather, blocked the executable payload that code in the file attempted to run. No write ups at that time made this distinction.

Here, a later analysis explains:

Analysis of wmf file buffer overflow
http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html

Since not all general media articles these days give a lot of details, you have to search a bit to see what the exploit does. This should be standard procedure for those interested in computer security, and not be swayed by sensational headlines, such as,

Undetectable Sinowal/Torpig Trojan Steals More Than 300,000 Bank Accounts

Some examples of good analyses:

Malicious swf files?
http://isc.sans.org/diary.html?storyid=4468

MBR Rootkit, A New Breed of Malware
http://www.f-secure.com/weblog/archives/00001393.html

aka: TROJ MEBROOT.V

In both of these cases, the solutions tested above would block the drive-by downloads from executing. As would many others described in this forum.

I don't think you can say that any is more effective than another, since they all do the job. Some solutions are very simple (Default-Deny). Others require more configuration and user interaction. Decisions as to which to employ would seem to be based on user preferences.

----
rich

 

As long as there as OS/Browser/Plugin vulnerabilities there will be no sure ways of stopping DBD.

Suggestive preventive action:
a) Use AV suite which has a HTTP/Web scanner. So that if any DBD occurs its spotted as malware.
b) Use Sanboxing software for browser, so that any DBD cannot in effect cause harm.
c) Use site safety ranking plugins ( like Finjan,WOT,SiteAdvisor, etc.) to prevent/alert access to possibly dangerous sites.

Choose some or all of the above, depending on your system resources, user experience and threat perception.

Hope that helped...

 

Google on how to find or change your temp directories in XP or Vista (so you know where they are located)

Next go to D+ of Comodo, go to my protected files, add those temp directories (use Comodo HELP for clues)

I am not using Comodo at the moment (so can not give you more details). I just gave some extra tips using your current setup.

With SBIE enabled I would not be to scared about drive by downloads.

Save SBIE practise would be (virtually zero change of drive by infection)
a) use SBIE doing surfing
b) try files you downloaded with in sandbox after finishing surfing (close browser) and check them with your AV
c) move them out of the sandbox and flush sandbox

 

Yes... 99.999% bullet-proof!

 

LUA + SRP.

 

Might sound like a silly question but I have to ask. Would google chrome with its malware type protector help with these drive by downloads?

Ice

 

As far as I understand it, Google Chrome has a sandbox scheme similar to IE7+LUA on Vista.

So does it protect ? Yes, it does. But if there are any browser vulnerabilities, then the protection is breached. Also any vulnerability in browser plugin (like Adobe Flash) may also be used, which are not typically sandboxed by the browser. And most Drive-by-downloads, occur due to vulnerability exploits.

IMO Best to have a 3rd-party, enforced sandbox which is invisible to browser/plugin.

Hope I could help.

 

I don't know the most effective way of blocking Drive By Downloads !

I just wanted to mention, for the sake of perspective, that this can be done effectively with more mainstream, conventional software.

McAfee Virusscan Plus (once caught a malicious script that was trying to download a trojan), McAfee's SiteAdvisor's (more invasive than it used to be, I have it uninstalled) sites that are not rated as green or grey can be considered blacklisted.

Webroot's Spy Sweeper 5.5.7 (version without antivirus), it has an internet communications shield that has blocked some Drive By Downloads on my computer. I can't comment on later versions.

I haven't been infected by a Drive by Download in the past two years.

However, both companies are quite eager to collect your personal data (although one could argue about the 'personal').

I realize that my security setup is 'conventional' (but still working), and I intend to change it.

Choosing your browser and configuring it properly also helps.