Most Effective Way Of Blocking Drive By Downloads

Discussion in 'other anti-malware software' started by TerryWood, Nov 20, 2008.

Thread Status:
Not open for further replies.
  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi

    What is the most effective way of blocking drive by downloads. I use win XP SP3 Comodo PF + Defence+ Avast Home Sandboxie.

    Can any of these be set up to block DBDs , if so how?

    Thanks

    Terry
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Block program creation/execution of TEMP directory with D+

    Sandbox IE Temp directory (but that is done by default)
     
  3. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi Kees1958


    Thanks for your comment. Can I sqeeze you for a little more information.

    How do you setup D+ to block program creation/execution of temp directory?

    I am not as technically proficient as you.

    Thanks

    Terry
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,827
    Location:
    Last Breath Farm
    Good question. :thumb: What about GeSWall? ThreatFire? SpyBot? Do these programs block drive by downloads?
     
  5. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    and what about OA Run Safer?

    Ice
     
  6. Jaki

    Jaki Guest

    IceCube1010]

    OA Free v3
    Avast Free
    MBAM (on-demand)
    (this is it, I'm not changing, I promise)
    Reply With Quote

    You did change. First it was TrendMicro, then just a few weeks ago, if not sooner, it was Comodo Internet Security Suite (CIS), now it s OA free and Avast. You promised that you are not going to change. :'(

    Well I understand you. I've been changing my security apparatus often, but now I'm using Comodo Firewall Pro, McAfee VirusScan Enterprise 8.7i (with Anti-Spyware module and Artemis Technology) and Norton Anti-Bot. That is it, I'm not changing.:D

    Peace.
     
    Last edited by a moderator: Nov 20, 2008
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    OA Run safer would prevent the download from doing damage as would Sandboxie.

    So would Defense Wall.
     
  8. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    I don't know about TrendMicro, but yes, I had CIS by itself and its a very good product. Then I tried CIS without the AV and used Antivir Free but I was getting an error with avguard.exe on shutdown. Now I'm trying OA free with Avast and really like this setup.

    I was waiting for someone to say something, your very observant!

    Ice
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    @ Jaki & IceCube -- Please stay on topic. This thread is NOT a discussion of "your security set-up". There is a separate thread for that sort of discussion.
     
  10. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Yes do not drive buy:D Lowered rights,sandboxie has my vote.Geswall can help in this area as well IMO.
     
  11. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    does the option in OA to "run safer" put the program in a sandbox like sandboxie or does it just lower its privileges?
     
  12. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    It lowers its privileges
     
  13. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    ok thx, i guess i shall be keep using my sandboxie then.
     
  14. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    just use returnil
     
  15. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    i would but i dont like the idea behind returnil, it just doesnt suite my needs as well as sandboxie does.
     
  16. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    sorry, your right.

    Ice
     
  17. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Actually, Geswall when I was using it, did come up with a red reject window on some un-savory sites. I'm using CIS now with the Firewall and D+ in Safe mode and CAVS. I'm hoping it will stop these types of attacks.

    Ice
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If, by Drive-by Download, you mean trojan executables attempting to sneak in, then, at last look a few weeks ago, I counted 13 solutions, most mentioned in this forum.

    This topic came up earlier this year and I enlisted the help of several others to test various solutions against the drive-by attack. Note I used the term, "solutions," and not products, because Software Restriction Policies prevents this type of attack, and is not a separate product.

    http://www.urs2.net/rsj/computing/tests/remote

    The sensational media articles about dangerous exploits often instill fear. But, if the payload is a trojan executable file -- as most are-- then any solution that includes execution protection will prevent the exploit from carrying out the payload.

    A good example was the WMF (Windows Media File) exploit from late 2005. While many were frantically trying out 3rd party patches while awaiting the Microsoft patch, those with proper protection were not vulnerable, because the payload was a trojan executable file. Proper protection didn't block the downloading of the .wmf file, rather, blocked the executable payload that code in the file attempted to run. No write ups at that time made this distinction.

    Here, a later analysis explains:

    Analysis of wmf file buffer overflow
    http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html
    Since not all general media articles these days give a lot of details, you have to search a bit to see what the exploit does. This should be standard procedure for those interested in computer security, and not be swayed by sensational headlines, such as,

    Undetectable Sinowal/Torpig Trojan Steals More Than 300,000 Bank Accounts

    Some examples of good analyses:

    Malicious swf files?
    http://isc.sans.org/diary.html?storyid=4468
    MBR Rootkit, A New Breed of Malware
    http://www.f-secure.com/weblog/archives/00001393.html
    aka: TROJ MEBROOT.V

    In both of these cases, the solutions tested above would block the drive-by downloads from executing. As would many others described in this forum.

    I don't think you can say that any is more effective than another, since they all do the job. Some solutions are very simple (Default-Deny). Others require more configuration and user interaction. Decisions as to which to employ would seem to be based on user preferences.

    ----
    rich
     
  19. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    As long as there as OS/Browser/Plugin vulnerabilities there will be no sure ways of stopping DBD.

    Suggestive preventive action:
    a) Use AV suite which has a HTTP/Web scanner. So that if any DBD occurs its spotted as malware.
    b) Use Sanboxing software for browser, so that any DBD cannot in effect cause harm.
    c) Use site safety ranking plugins ( like Finjan,WOT,SiteAdvisor, etc.) to prevent/alert access to possibly dangerous sites.

    Choose some or all of the above, depending on your system resources, user experience and threat perception.

    Hope that helped...
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Google on how to find or change your temp directories in XP or Vista (so you know where they are located)

    Next go to D+ of Comodo, go to my protected files, add those temp directories (use Comodo HELP for clues)

    I am not using Comodo at the moment (so can not give you more details). I just gave some extra tips using your current setup.

    With SBIE enabled I would not be to scared about drive by downloads.

    Save SBIE practise would be (virtually zero change of drive by infection)
    a) use SBIE doing surfing
    b) try files you downloaded with in sandbox after finishing surfing (close browser) and check them with your AV
    c) move them out of the sandbox and flush sandbox
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Yes... 99.999% bullet-proof!
     
  22. tlu

    tlu Guest

    LUA + SRP.
     
  23. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Might sound like a silly question but I have to ask. Would google chrome with its malware type protector help with these drive by downloads?

    Ice
     
  24. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    As far as I understand it, Google Chrome has a sandbox scheme similar to IE7+LUA on Vista.

    So does it protect ? Yes, it does. But if there are any browser vulnerabilities, then the protection is breached. Also any vulnerability in browser plugin (like Adobe Flash) may also be used, which are not typically sandboxed by the browser. And most Drive-by-downloads, occur due to vulnerability exploits.

    IMO Best to have a 3rd-party, enforced sandbox which is invisible to browser/plugin.

    Hope I could help.
     
  25. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I don't know the most effective way of blocking Drive By Downloads !

    I just wanted to mention, for the sake of perspective, that this can be done effectively with more mainstream, conventional software.

    McAfee Virusscan Plus (once caught a malicious script that was trying to download a trojan), McAfee's SiteAdvisor's (more invasive than it used to be, I have it uninstalled) sites that are not rated as green or grey can be considered blacklisted.

    Webroot's Spy Sweeper 5.5.7 (version without antivirus), it has an internet communications shield that has blocked some Drive By Downloads on my computer. I can't comment on later versions.

    I haven't been infected by a Drive by Download in the past two years.

    However, both companies are quite eager to collect your personal data (although one could argue about the 'personal').

    I realize that my security setup is 'conventional' (but still working), and I intend to change it.

    Choosing your browser and configuring it properly also helps.
     
    Last edited: Nov 23, 2008
Thread Status:
Not open for further replies.