My Windows Security Holy Grail - Granular, rule-based control over applications

Hi everyone,

I have read a number of helpful posts on this forum and I have seen a number of Firewalls, Sandboxing, Virtualization, Light Virtualization, Whitelisting and HIPS tools discussed - I don't know if what I want exists yet so I will describe it below and would love to hear your thoughts/suggestions...

I want a Windows security solution which allows granular, rule-based control over the resources that applications have access to and the scope of that access. This would behave much like modern firewalls, but for all kinds of resources, not just networks. Resource interaction that could be controlled includes access to the Filesystem, Registry, Network, Process Execution, Interaction with other processes or the Operating System/hardware itself. This should allow me to entirely isolate certain applications, or only allow them access to the exact resources that I/they require and nothing more.

Ideally it would also allow some simple virtualization like other sandbox/light virtualization tools (i.e.: it can allow an application to think it is writing to/reading from the filesystem/registry but it is actually just writing to/reading from a temporary scratch space that can be erased after the application is closed).

Other Features which would be cool and might make the solution easier to use:

• Built in access to an updatable database of whitelisted applications (and their MD5's) that are known to be safe, this could allow time to be saved when training the tool for common applications.

• 'Community Opinion' feature built into alert dialogs to allow user to reference crowd-sourced information when in doubt. This feature could quickly search a website for stats on identical alerts/MD5's that other users have encountered. The user could then see how other users responded to that same alert and the percentages/numbers of them that chose each type of response.

• 'Community Comments' button that the user can click to view/start a web-based forum thread containing community discussion related to that unique alert.

Final thoughts: To get a better idea of what I am after, have a glance through my subsequent post, which contains a bunch of hypothetical usage examples. If something with similar functionality already exists, please let me know as I want it (!) - if it doesn't....I think it would be awesome.

- What are your thoughts?
- What security solutions do you recommend/use?
- What suggestions do you have?

Regards,
- Whitelist

 

Re: My Windows Security Holy Grail - Usage Examples

As discussed in my previous post, here are a bunch of hypothetical usage examples to give you an idea of what I am after:
--------------------------------------------------------------------------------

User activity: I double-click the Firefox icon for the first time
Security Alert: "USER would like to execute C:\Program Files\Mozilla Firefox\firefox.exe (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)..."
Handling Options:

Permission Rule:
Always Allow
Always Deny
Once Only Allow
Once Only Deny

Execution Of:
ANY Application
Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)

By:
ANY User/Application
USER​

Example Response: Always Allow Execution of Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) by USER
--------------------------------------------------------------------------------

User activity: I execute the Firefox application for the first time
Security Alert: "Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) would like to write to C:\Documents and Settings\User\Application Data\Mozilla\Firefox..."
Handling Options:

Permission Rule:
Always Allow
Always Deny
Once Only Allow
Once Only Deny

Type of access:
Real
Virtualised (Only Visible to Application - Rolls Back on Exit)
Virtualised (Only Visible to Application - Persistent)

Data Flow:
BOTH Read and Write
Read
Write

Destination:
Filesystem ANYWHERE
Filesystem Location (C:\Documents and Settings\User\Application Data\Mozilla\Firefox)

By:
ANY User/Application
Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)​

Example Response: Always Allow Virtualised Read and Write Access to Filesystem Location (C:\Documents and Settings\User\Application Data\Mozilla\Firefox) by Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)

^ The exact same style of alerting/prompting applies to both filesystem AND registry reads/writes
--------------------------------------------------------------------------------

User activity: I attempt to load www.google.com.au in Firefox
Security Alert: "Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) would like to access the network IP: 74.125.127.104 (www.google.com.au) through port 80 via TCP over HTTP..."
Handling Options:

Permission Rule:
Always Allow
Always Deny
Once Only Allow
Once Only Deny

Traffic Flow:
BOTH Inbound and Outbound
Inbound
Outbound

Traffic Type:
BOTH TCP and UDP
UDP
TCP

Protocol:
ANY
HTTP

Port:
ANY
80

Destination:
ANY
74.125.127.104
www.google.com.au

By:
ANY Application/MD5
Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)​

Example Response: Always Allow Inbound and Outbound, TCP and UDP, HTTP Traffic On Port 80 to ANY Destination by Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
--------------------------------------------------------------------------------

User activity: I attempt to click a link to a PDF in Firefox
Security Alert: "Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) would like to execute Adobe Reader at C:\Program Files\Adobe\Reader.exe (MD5: 80660C611B596FFE8AF4074B31AA6FB7)..."
Handling Options:

Permission Rule:
Always Allow
Always Deny
Once Only Allow
Once Only Deny

Execution Of:
ANY Application
Adobe Reader (MD5: xxyyzz)

By:
ANY USER/APPLICATION
Firefox Application (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)​

Example Response: Always Allow Execution of Adobe Reader (MD5: 80660C611B596FFE8AF4074B31AA6FB7) by Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
--------------------------------------------------------------------------------

User activity: I attempt to click a 'mailto' link on an email address in Firefox while Outlook is open
Security Alert: "Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) would like to send data to Microsoft Outlook at C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (MD5: 8219160C141B505AB5C112F73405C348 )..."
Handling Options:

Permission Rule:
Always Allow
Always Deny
Once Only Allow
Once Only Deny

Data Flow:
BOTH Send To and Receive From
Send To
Receive From

Destination:
ANY Application
Microsoft Outlook (MD5: 8219160C141B505AB5C112F73405C348 )

By:
ANY USER/APPLICATION
Firefox Application (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)​

Example Response: Once Only Send Data To Microsoft Outlook (MD5: 8219160C141B505AB5C112F73405C348 ) From Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
--------------------------------------------------------------------------------


Cheers,
- Whitelist

 

Out of all that I get the following: You want a HIPS solution with a couple of extra features. As Peter said, Malware Defender will get you the closest you're going to get to your "holy grail" using just one program. My advice though, drop the want of any kind of "community opinion" on whether to allow something or not. I rank the community opinion features built into a lot of these security programs right up there with blacklisting ...completely useless with a risk of being dangerous. That's just my opinion though. Other than that, MalwareDefender will do just fine for you.

 

I believe that also Online Solutions Security Suite in the final release - but partialy just now - will do it. ( Why not Defense + ? )

 

Could also have a look at the HIPS section of KIS2010.
Allows quite a degee of granulatity in setting up rules.