My Windows Security Holy Grail - Granular, rule-based control over applications

Discussion in 'other anti-malware software' started by whitelist, Jul 20, 2009.

Thread Status:
Not open for further replies.
  1. whitelist

    whitelist Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    2
    Hi everyone,

    I have read a number of helpful posts on this forum and I have seen a number of Firewalls, Sandboxing, Virtualization, Light Virtualization, Whitelisting and HIPS tools discussed - I don't know if what I want exists yet so I will describe it below and would love to hear your thoughts/suggestions...

    I want a Windows security solution which allows granular, rule-based control over the resources that applications have access to and the scope of that access. This would behave much like modern firewalls, but for all kinds of resources, not just networks. Resource interaction that could be controlled includes access to the Filesystem, Registry, Network, Process Execution, Interaction with other processes or the Operating System/hardware itself. This should allow me to entirely isolate certain applications, or only allow them access to the exact resources that I/they require and nothing more.

    Ideally it would also allow some simple virtualization like other sandbox/light virtualization tools (i.e.: it can allow an application to think it is writing to/reading from the filesystem/registry but it is actually just writing to/reading from a temporary scratch space that can be erased after the application is closed).

    Other Features which would be cool and might make the solution easier to use:
    • Built in access to an updatable database of whitelisted applications (and their MD5's) that are known to be safe, this could allow time to be saved when training the tool for common applications.
    • 'Community Opinion' feature built into alert dialogs to allow user to reference crowd-sourced information when in doubt. This feature could quickly search a website for stats on identical alerts/MD5's that other users have encountered. The user could then see how other users responded to that same alert and the percentages/numbers of them that chose each type of response.
    • 'Community Comments' button that the user can click to view/start a web-based forum thread containing community discussion related to that unique alert.
    Final thoughts: To get a better idea of what I am after, have a glance through my subsequent post, which contains a bunch of hypothetical usage examples. If something with similar functionality already exists, please let me know as I want it (!) - if it doesn't....I think it would be awesome.

    - What are your thoughts?
    - What security solutions do you recommend/use?
    - What suggestions do you have?

    Regards,
    - Whitelist ;)
     
  2. whitelist

    whitelist Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    2
    Re: My Windows Security Holy Grail - Usage Examples

    As discussed in my previous post, here are a bunch of hypothetical usage examples to give you an idea of what I am after:
    --------------------------------------------------------------------------------

    User activity: I double-click the Firefox icon for the first time
    Security Alert: "USER would like to execute C:\Program Files\Mozilla Firefox\firefox.exe (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)..."
    Handling Options:
    Permission Rule:
    Always Allow
    Always Deny
    Once Only Allow
    Once Only Deny


    Execution Of:
    ANY Application
    Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)


    By:
    ANY User/Application
    USER
    Example Response: Always Allow Execution of Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) by USER
    --------------------------------------------------------------------------------

    User activity: I execute the Firefox application for the first time
    Security Alert: "Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) would like to write to C:\Documents and Settings\User\Application Data\Mozilla\Firefox..."
    Handling Options:
    Permission Rule:
    Always Allow
    Always Deny
    Once Only Allow
    Once Only Deny


    Type of access:
    Real
    Virtualised (Only Visible to Application - Rolls Back on Exit)
    Virtualised (Only Visible to Application - Persistent)


    Data Flow:
    BOTH Read and Write
    Read
    Write


    Destination:
    Filesystem ANYWHERE
    Filesystem Location (C:\Documents and Settings\User\Application Data\Mozilla\Firefox)


    By:
    ANY User/Application
    Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
    Example Response: Always Allow Virtualised Read and Write Access to Filesystem Location (C:\Documents and Settings\User\Application Data\Mozilla\Firefox) by Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)

    ^ The exact same style of alerting/prompting applies to both filesystem AND registry reads/writes
    --------------------------------------------------------------------------------

    User activity: I attempt to load www.google.com.au in Firefox
    Security Alert: "Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) would like to access the network IP: 74.125.127.104 (www.google.com.au) through port 80 via TCP over HTTP..."
    Handling Options:
    Permission Rule:
    Always Allow
    Always Deny
    Once Only Allow
    Once Only Deny


    Traffic Flow:
    BOTH Inbound and Outbound
    Inbound
    Outbound


    Traffic Type:
    BOTH TCP and UDP
    UDP
    TCP


    Protocol:
    ANY
    HTTP


    Port:
    ANY
    80


    Destination:
    ANY
    74.125.127.104
    www.google.com.au


    By:
    ANY Application/MD5
    Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
    Example Response: Always Allow Inbound and Outbound, TCP and UDP, HTTP Traffic On Port 80 to ANY Destination by Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
    --------------------------------------------------------------------------------

    User activity: I attempt to click a link to a PDF in Firefox
    Security Alert: "Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) would like to execute Adobe Reader at C:\Program Files\Adobe\Reader.exe (MD5: 80660C611B596FFE8AF4074B31AA6FB7)..."
    Handling Options:
    Permission Rule:
    Always Allow
    Always Deny
    Once Only Allow
    Once Only Deny


    Execution Of:
    ANY Application
    Adobe Reader (MD5: xxyyzz)


    By:
    ANY USER/APPLICATION
    Firefox Application (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
    Example Response: Always Allow Execution of Adobe Reader (MD5: 80660C611B596FFE8AF4074B31AA6FB7) by Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
    --------------------------------------------------------------------------------

    User activity: I attempt to click a 'mailto' link on an email address in Firefox while Outlook is open
    Security Alert: "Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9) would like to send data to Microsoft Outlook at C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (MD5: 8219160C141B505AB5C112F73405C348 )..."
    Handling Options:
    Permission Rule:
    Always Allow
    Always Deny
    Once Only Allow
    Once Only Deny

    Data Flow:
    BOTH Send To and Receive From
    Send To
    Receive From


    Destination:
    ANY Application
    Microsoft Outlook (MD5: 8219160C141B505AB5C112F73405C348 )


    By:
    ANY USER/APPLICATION
    Firefox Application (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
    Example Response: Once Only Send Data To Microsoft Outlook (MD5: 8219160C141B505AB5C112F73405C348 ) From Firefox (MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9)
    --------------------------------------------------------------------------------


    Cheers,
    - Whitelist ;)
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    You could probably come close with both Online Armor and certainly with Malware Defender. But even more probably the pop up's will drive you nuts.

    Ask yourself Why??
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Out of all that I get the following: You want a HIPS solution with a couple of extra features. As Peter said, Malware Defender will get you the closest you're going to get to your "holy grail" using just one program. My advice though, drop the want of any kind of "community opinion" on whether to allow something or not. I rank the community opinion features built into a lot of these security programs right up there with blacklisting ...completely useless with a risk of being dangerous. That's just my opinion though. Other than that, MalwareDefender will do just fine for you.
     
  5. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    I believe that also Online Solutions Security Suite in the final release - but partialy just now - will do it. ( Why not Defense + ? )
     
  6. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Could also have a look at the HIPS section of KIS2010.
    Allows quite a degee of granulatity in setting up rules.
     
Loading...
Thread Status:
Not open for further replies.