Nice AV find for featherlight setup

Discussion in 'other security issues & news' started by Kees1958, Oct 29, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I am running without AV in this setup https://www.wilderssecurity.com/showpost.php?p=1775211&postcount=11560

    I also have implemented this for my wife's laptop. Only she is a completely PC illiterate. She will never clean trash, won't ever run defrag, won't ever run an on-demand Anti Virus scan, etc.

    So I started to craft some batch files (and got a giveaway of Ashampoo Winoptimiser 6 with auto defrag), when searching I found something nice.

    With Chrome the Downloads directory can be fixed, with IE8 not, so All downloads are forces to the Downloads directory (does not matter what documents, movies, all user folders are relocated to Downloads). The real data is on a second partition.

    I really like A2 Emergency, because of its small updates and updates real fast. SO I added an update shortcut in the startup folder (use /u switch for a2cmd) and added "TheSpyFolder" a freebie which watches folders, to guard the Downloads directory for creation and temp directory for rename operations. I have also added the batch file for Spyfolder to start in the background (/b switch) and you have to add a log file.

    In the folder spy settings A2cmd is started to /d (delete infections) /a (look in archives) /f="fulll path\name of directory" (to check in this directory)

    Regards

    Picture explaines it all

    EDIT: pitty the application SpyFolder is not suitable for this use, e.g. when you download a large file it starts the application mentioned at first bytes write, because the download is either in use or not yet considered an executable, the AV does not check it)
     

    Attached Files:

    Last edited: Oct 31, 2010
  2. Jav

    Jav Guest

    good job Kees.

    2 questions:
    1) why detection of renamed files in temp folder? and not creation?

    2) what about USB and other portable devices?
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Jav,

    USB's are through GPO autorun blocked and through SRP execution blocked, so not possible to execute

    For Temp folder it is normal to create stuff. Often installers extract executables into it.Windows has some internal protection mechanism for temp folders which limit execution sufficiently to keep for instance Software Restriction Rules applicable of dangereous file types. It is common for malware to dump tmp files and renames them afterwards. So it is a very suspicious action.

    Regards Kees
     
  4. Jav

    Jav Guest

    ok, I see.
    Thank you :)
     
  5. katio

    katio Guest

    One issue that caught my eye:
    c) Auto elevate only from safe places (Windows & Program Files)

    The Windows folder is not safe, it contains world writable+executable folders, see this post.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep,

    Normally windows should protect from intrusions. This is because some actions which touch the system are allowed by users (e.g. installing a printer). See "testing" in this post https://www.wilderssecurity.com/showpost.php?p=1775211&postcount=11559 TDSS makes use of this 'weakness' only in a very smart way.

    Regards Kees
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Within the context of a standard user account with UAC enabled, these folders aren't accessable to such user without credentials:

    C:\Windows\Temp\*
    C:\Windows\System32\Tasks\*
    C:\windows\System32\spool\PRINTERS\*
    C:\windows\System32\com\dmp\*

    (With UAC disabled they won't get access nor won't be alerted to enter credentials, obviously.)

    To all others, free run.
     
Loading...
Thread Status:
Not open for further replies.