Protection against new objects

Discussion in 'other security issues & news' started by ErikAlbert, Dec 7, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    This is NOT about objects, that are already stored in my data partition,
    because Sandboxie is supposed to protect my data partition, while I'm surfing on the internet.

    This time I'm talking about NEW objects, like :
    - installation files of legitimate softwares, screensavers, games, ...
    - documents (doc), spreadsheets (xls), manuals (pdf), etc.
    - pictures, movies, MP3 (I don't do this myself).

    In theory my system partition cannot be infected by my data partition, because my boot-to-restore and security softwares take care of that.
    BUT my data partition can infect my system partition, when I install NEW infected softwares and when that happens, my system will be infected and re-infected over and over again.

    Downloading objects from the official homepage or safe websites doesn't seem to be enough because the bad guys can replace the good objects with infected objects and that happened in the past.
    I like to reduce the risk to the absolute minimum in order to store not-infected objects on my data partition as much as possible.

    So the question is : How can I avoid to store INFECTED objects permanently as much as possible.
    The purpose is to build a collection of rules/procedures to solve this problem.
    So let's do it systematically, objective, theoretical and how it has to be done, regardless the fact that some rules/procedures are ignored by users for some reason. I like to have a total picture first.
    If there are softwares or websites that can help, I like to know them too, like software names or links.
    Keep in mind that this is only about new downloaded files on my data partition and other members/lurkers, might learn from this thread also, certainly ME. :)

    The first rule might be :

    1. Download only from trusted websites or the official homepage, but that is NOT enough.
    2. Scan downloaded objects with VirusTotal and/or Jotti.
    3. Checking the hash number against the manufacturer's.
    4. Run the program on a test machine.
     
    Last edited: Dec 7, 2007
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi, ErikAlbert,

    A few things come to mind, but first, I would like some clarification:

    I'm confused, because you refer to your "data" partition, then say you install softwares, which I presume means executables, which are not data.

    This has been enough for me for 15+ years, so it's a good rule in my book.

    Other solutions would be:

    ==> to scan the installer -- but from past posts, you don't consider scanning to be reliable

    ==> check the hash number against the manufacturer's. I've seen this discussed -- do a search.

    ==> run the program on a separate test machine for a period of time, to see if some obvious defects show up. You would need some networking tools to be thorough in this testing method.


    ----
    -rich
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    All my installation files are stored on my data partition, so I install my system partition via my data partition. But does that really matter ?
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I can scan objects via VirusTotal or Jotti, instead of having a bunch of scanners on my computer.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, I understand, but keep in mind that "data" ususally refers to files other than executables.

    Since your other (data) partition includes software (executables) then I'll stick with my comments above regarding those.

    Regarding infected files (documents) -

    First, if they contain executable code, as most of the known Office exploits do, they would be blocked by your current security setup upon attempting to install.

    Second - if they were to somehow reside on your other partition and contain malicious code, how will this code continue to be activated upon reboot? Some triggering mechanism has to reside somewhere - the embedded malware in documents that I've seen puts a command in a startup folder or a RUN key in the registry -- on your system partition -- which I assume will be removed on your next reboot, hence, a non-threat.

    That's what comes to mind so far...

    Well, I'm confused again, because in the past you have shown no trust in scanners (as I've understood your posts) so now, are you saying you trust the uploading to scanners, but not using resident scanners?


    ----
    rich
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Using scanners to remove malware on the system partition is NOT the same as removing malware from data partition. I don't accept any change in my system partition, because that is possible with system files.

    I can't do this with my data partition, because my data partition changes all the time. A boot-to-restore would remove all the changes in my data partition, including changes in my documents. That would destroy all my work of the day.

    I can't download files in my system partition either, because they disappear during reboot.
    But all this is old news.
     
    Last edited: Dec 7, 2007
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Can you scan any object with VirusTotal and Jotti ?
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I thought we were referring to scanning your program installer before installing the program on your data partition. You asked,

    I'm referring to scanning before installing, not removing malware from your data partition.

    This is my point in your concern about downloading an infected document: those I've seen load something to your system partition to trigger the malware each time the computer is rebooted. In your case this cannot happen.

    Also, you haven't addressed my thought as to how an infected document can run on your system. Here is an infected .rtf document downloaded. When attempting to open it, it is flagged immediately as it tries to extract an executable:

    docRTF.gif
    ___________________________________________________________

    I think so -- I've scanned .htm, .doc, .xls as well as any executable filetype. There are size limits.

    So, you could scan a document (such as the .rtf I used) before opening it.


    ----
    rich
     
    Last edited: Dec 7, 2007
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    How can I scan a program installer without storing it first in my system partition or data partition ? Jotti or VirusTotal ask me to browse to the file first, before I can scan it.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Storing is not running. You can download any executable, upload to scan, then delete it if it proves malicious. It can't infect until you open (run) the file.

    Or are you referring to something else?


    ----
    rich
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    No, we agree on this.
    In theory, I cannot trust any new downloaded file, before it is verified.
    An those new downloaded files, increase my data partition and sometimes I use them to install new softwares on my system partition.
    So I have all reasons to be suspicious about these new files and if I check them as good as possible, they might be malware-free.
    That includes : download from the known source, check its hash and scan them with Jotti or Virustotal, all bits help.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Sounds like a plan!

    Someone else may have thoughts...

    One question: how often do you download to read an Office document written by someone else?


    ----
    rich
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Never, all my Office documents are written by myself : mainly documents and spreadsheets. But I often download .pdf-files (software manuals, ...)

    My concern is mainly installation files of softwares, but why not data files also.
    Until now, I downloaded from the homepage, but I read that these files can also be corrupted, if the homepage has been hacked by the bad guys.

    I ran recently a bunch of advanced+ scanners and they couldn't find anything, but I'm not planning to do this forever.
    My system partition is clean, my data partition is clean, but I like to verify my downloaded files a little better in the future, because that is where the evil starts and that affects both partition.
    Thanks for the help, meanwhile I will wait for other suggestions ...
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome, and other suggestions as to how to feel safe about what is installed may be worth considering!


    ----
    rich
     
  15. kurchatovium

    kurchatovium Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    89
    The test system is not a bad idea. I do this often just to see how a program runs. In other words does it crash a lot or have a lot of bugs. Of course it can be done as well to see if its infected. A few of the art programs I use are only made in Russia and I tried them on a test machine just to be safe.
     
  16. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Rmus is correct, there are size limits and it's 10MB for both sites. That's why I have to keep extra free scanners around. It may not be a problem for you if you only download smaller programs or files.

    innerpeace

    edit: added the word files
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    You can test your installer ahead of time courtesy this site sponsored by COUNTERSPY!

    Automated Malware Sandbox
    Submit a malware sample to our automated sandbox server to see what the malware would do to your computer if it were installed.

    • Submit to Sandbox

    http://research.sunbelt-software.com/Submit.aspx
     
  18. herbalist

    herbalist Guest

    This is my procedure for new installs and apps being started for the first time. Some of the steps are not possible on NT systems. These are marked with "9X only".
    1. Check digital signature if available.
    2. Upload to VirusTotal or Jotti and scan. If over their size limit, scan with local scanner.
    3. Make system image in case restore is necessary.
    4. Copy installer or app to desktop. Shut off external data drive.
    5. 9X only. Load test registry with TestRun. The test registry is an exact duplicate of the system registry that can either be accepted or thrown out.
    6. Run installer thru Inctrl5. It takes a system snapshot before and after the install and reports all file/folder additions and changes plus all changes to the registry. Between the saved install reports and the file list made when I first installed the OS, all files on my system are accounted for.
    7. Inctrl5 is then used to record any changes made during the first run of the new app. Some make unwanted file association changes I may not want.
    8. I keep all security apps running during the install and monitor the activity via the SSM prompts. If the installer tries to "call home" during the install, the install process is terminated and the system is returned to its previous state, either with the image or manually if there aren't too many changes.
    9. Reboot. 9X only, cancel registry restore process. If the new app meets expectations, test registry is accepted. If not, system is restored.
    10. 9X only. If the new app is accepted, a new registry restore is made that will be used at every reboot.

    More info on TestRun is available here. Page is in Archive.org as his site is down. For 9X systems only.
    More info on the registry restore here. For 9X systems only.

    Rick
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks guys !!!. Enough work to keep me busy for awhile, but absolutely necessary, if I want to keep my system and data partition clean in the future.
    Once I've figured it out, it will be another big improvement to keep my computer clean.
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    To analyze EULAs:
    EULAlyzer
    - Do some research about the software or its developer.
    - Download from the vendor site.
    - Check hashes (if provided) or digital certificates.
    - Scan at Virustotal/Jotti/Virus.org
    - Submit to an automated expert analysis system such as Norman Sandbox, Sunbelt, Sandbox, Anubis, PC Tools ThreatExpert (this requires some knowledge to understand the output of the expert analysis)
    - Prepare the system for a rollback (take images, update FD-ISR archives, etc). Disconnect the backup drive/s.
    - If you're inclined, run the installer in a clean VM/spare PC loaded with analysis tools (Process Explorer, Process Monitor, TCPView, packet sniffer, etc)
    - Run the installer throu an install monitor (like Total Uninstaller, ZSoft Uninstaller, Inctrl5)
    - Use EULAlyzer to inspect the EULA.
    - Follow the alerts made by your security apps (inapplicable to sandboxes and Anti-Executable)

    - View your PDFs using a sandboxed/isolated instance of your PDF reader (if possible with scripting disabled)
    - Handling of suspicious/untrusted Office files
    - Use up-to-date versions of your Office suite, PDF reader, media players, etc.
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Lucas,
    Thanks for the additional info.
    I will make a summary of all suggestions in this thread, remove the double ones and then try to work them out in detail. This will take some time of course. :)
     
  22. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    With Virus Total you can install their 'Virus Total Uploader' which makes it really fast to send a file to their website, see attachment.
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.