Need your help to restrict my Firefox :)

Discussion in 'other software & services' started by harsha_mic, Dec 30, 2015.

  1. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    I need help in determining the best way to lock-down/restrict my firefox (primary browser), to make it more secure from exploits/drive-by downloads or anything else from browser as the vector point.

    And i would like to have as minimum softwares to have it installed as possible. So, with that in mind, i have configured it as below -

    Current settings -

    1. Resident:
    - Eset NOD32 AV 9 (PUP detection enabled).
    - UAC Enabled
    - Smartscreen Enabled
    - Hitman Pro Alert (freeware mode)​

    2. Following configurations made to Firefox -
    • Installed uBlock Origin (Medium Blocking mode - This should in a way take care of CSRF/Clickjacking attacks)
    • Flash - Set "Ask To Activate"
    • Always browses in Private browsing mode. This takes care of LSO's. So, no dedicated addon!!
    • Deny 3rd Party Cookies.
    • To Further restrict, i have added few rules to Eset HIPS for firefox.exe as below
    - (rule 1) Process: Firefox.exe
    Action: Ask,
    For: Files
    Operations to Monitor: Direct Access to Disk, Install Global Hook, Load Driver
    Target: All Files​
    For: Applications
    Operations to Monitor: Debug Another Appl, Interceot events from another application, terminate/susend another application, start new application, modify state of another application
    Target: All Applications
    - (rule 2) Process: Firefox.exe
    Action: Allow to start plugin-container.exe
    - (rule 3) Process: Firefox.exe
    Action: Allow to terminate/suspend plugin-container.exe
    Can you suggest me if i need to update my HIPS rules to restrict firefox as stated in first statement, or is it better to have something such as SOB.

    B/w my OS if W10 Home 64 bit.

    Appreciate for patiently reading my long post :)

    Of Interest: My Firefox scored 15/17 in browser scope test (test 3 & 12 failed)
     
    Last edited: Dec 30, 2015
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    "deny 3rd-party cookies" will drive you in trouble. while using private mode its pretty pointless.
    smartscreen depends on windows defender and the zone identifier, and some other minor settings in windows.
    your effort with eset on firefox, paranoia? you already have HMPA installed. the rest is scanned by eset by default - access, download, cache.

    i can tell you that some dont need for knox for browsing and to keep privacy.
    concerning your browser test - i have 15 of 17 without any strong settings - and now?

    those test are null - i tried another instance of firefox (v44) with less security - failed another test but passed that one which v43 failed.
    what do you think now of your concept?

    and fore sure, any current firefox will fail "FAIL toStaticHTML API" * and "FAIL Origin header" if some wont modify it.
    modifying the header will run some in other trouble - wrong displayed sites up to complete fail of content.

    *https://forums.informaction.com/viewtopic.php?p=19516#p19516
     
  3. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Just wondered where Medium Blocking Mode is set??

    Bad scripts would still be a concern for me. So NoScript (add-on) would be my recommendation, if you're willing and able to deal with setting it up for a short while (since most of us are creatures of habit and surf to the same places most of the time, NoScript isn't bad to deal with past the first few days.)
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
  5. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    thanks @Brummelchen, @HAN for your input.

    Maybe! However for years, i have been denying 3rd Party Cookies, and i have not faced any issues with it.

    Not sure, if this is true. Can you give me the link to it. As far as i understand, disabling windows defender has no effect on it..
    And reg. browser scope tests, i just included for fun. Nothing serious here.

    I am quite sure, with my browsing habits it is highly unlikely that, i would hit by a malware. Just wanted to see if i can add little more restrictions to Eset HIPS, with out much hassle. You know, reading all the threads here, reg. Security, some times, it tempts to tinker with the security a little bit :)

    it is what @Brummelchen said.

    I used to be a hard core ABP + NoScript user back in the day. And i had no trouble dealing with No Script ;)
    With uBlock Origin, i can have both of them in one :). Also, its logger which i really like it, and the customization it allows.

    Also, Wishing every one a happy new year :)
     
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    WD & Smartsrcreen
    http://windows.microsoft.com/en-US/windows-8/windows-defender?woldogcb=0
    concerning eset and hips or hips in general - it means work, attention at any time. ands that not what i wanted, i am no slave of my computer or software.

    we adjust every day our behavior and parts of settings, maybe. but i did not ran into trouble with malware for over now 20 years. 6 without any active scanner. it is possible.
     
  7. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    In regards to: "Always browses in Private browsing mode. This takes care of LSO's. So, no dedicated addon!!"

    Can you do a search via Windows Search or your preferred Search program for the term "Flash Player". The directories should appear in User Directories and 1 or 2 others (I think... I would check myself, but I no longer use Flash). Enter the directories and see if anything is in there. Back before I manually prevented LSO's system wide, I remember Private Browsing Mode had bugger all effect on items stored in "Flash Player" directories. It might've protected against LSO's, but not all Flash-related storage, since this plugin/addon stores other stuff in those directories as well.

    I also noticed you didn't mention anything about FF phoning-home... eg: all the http:// and https:// entries in about:config...

    I just did the test, and have fails for 3 6 12 and 15. I don't have any official addons, but make use of AdGuard for Windows and MBAE.
    -- Installed NoScript, allowed all scripts globally so only using CSS protection etc... failed 12 and 15.

    I find it funny how these tests require Javascript to run...
     
    Last edited: Jan 1, 2016
  8. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    Last edited: Jan 1, 2016
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    some kind of telemetrie and safe-browsing, possible to tun such features off and nearly to off.
    sure - lol

    sandboxie paid can use forced folders or forced programs. forced folders is idd a powerful weapon.
    for some programs i noticed a difference between force and start.exe - some did not crash as forced ^^
     
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Same here. I have set up every browser that I have used through the years to block 3'rd party cookies in the browser settings for as long as I can remember - and have not encountered any issues because of that. In Firefox that I use since the beginning of 2015 - I allow cookies, but have 3'rd party cookies set to Never (?). I don't have the English FF version installed so I don't know the exact words they use in the settings menu.
     
  11. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    You can get FF running in both SBIE and SS-Sandbox... just needs some tinkering. I was using this approach for a decent amount of time, but ditched it for another setup. Using both SBIE and SS, a conflict does arise if the user wishes to run FF in normal mode; no sandboxing. SBIE would have to have FF removed from Forced Apps so the user can run FF via SS as unrestricted (via right click). The other way; gotta' manually remove FF from SS-Sandbox.
     
  12. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    "Deny 3rd Party Cookies."

    The best way for me is to reject 3rd party and accept all others. Then dump when closed and whitelist the ones you want persistant. Great usabilty and privacy for many.

    "LSOs"

    We were both in a thread the other day and I gave IMO good advice. TL,DR: FFox erases flash cookies per the new flash APIs with the native FFox settings....been for a while. No need for extensions or modes.

    "To Further restrict, i have added few rules to Eset HIPS for firefox.exe as below
    Can you suggest me if i need to update my HIPS rules to restrict firefox as stated in first statement, or is it better to have something such as SOB."


    Have you tried an interactive HIPS mode aka alert city mode. When configuring HIPS, it's often a good dice roll for heavily exploited gear. Interactive shows how an app "ticks" and is often a gateway to teaching a user "what's what" while minimizing unecessary future alerts granted you start on a clean image/updates and are savvy.

    "B/w my OS if W10 Home 64 bit."

    NICE! & Hitman Anti-exploit. Very strong.

    & yeah, a sandbox may backup your HIPs. May be excessive...etc..etc. But SBie may backup lackings of HIPs rules as a dumb "just erase all unless whitelisted" HIPS solution.

    Also, maybe I am blind and it's already been posted, but there are some good about:config tweaks posted on Wilders that I would consider.
     
  13. Shankle

    Shankle Registered Member

    Joined:
    May 2, 2006
    Posts:
    510
    Use Slimjet. It's a much better broswer:)
     
  14. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Not exactly the answer he was seeking.
    I dont see how slimjet is a better browser anyhow.
     
  15. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    I looked at this link before, but i could not see anything they mention that Smartscreen is dependant on WD.
    I don't think Smartscreen is dependant on WD. I do remember testing Smartscreen during W8, with WD disabled, and it spring into action!!
    I did, and did not find anything relevant, just a bunch of folders and few settings. Shared Objects folder is empty.
    Thanks buddy. Yes, i do have sandboxie in mind, and has been suggested to me by kees earlier. But no spyshelter anti-keylogger. Already have HMPA.
    Thanks Sordid. Yes, i agree with all your poinst. However, ESET interactive HIPS mode, its too talkative for my tastes :)


    At this point, i see the following actions, to further tweak my settings -
    Tune Firefox, with some additional configs, in regards to disabling unwanted services, security settings.
    Maybe add Sandboxie. In case something suspicous to be browsed, this will come in handy.
     
  16. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Thanks for this thread! I had been using uBlock as a pure ad blocker and not really paying any attention to what else it can easily do. I think I'm going to set up all of the Firefox installations I over see as "enhanced" Easy mode (Easy mode plus blocking 3rd-party iframe tags.) Medium mode breaks more sites than I have time to deal with but some additional 3rd party protection is great! :)
     
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    not here, depends on your settings/used lists. maybe less restrictions may help you out.
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,876
    Location:
    Australia
    It's not. I have Norton installed, which disables WD, and Smart Screen Filter popped up when I tried running a program today.

    Edit: To clarify, this was a program I had already downloaded to my Desktop before running, so it wasn't blocked in either IE11 or Edge.
     
    Last edited: Jan 9, 2016
Loading...