Safe Admin & Chrome

Discussion in 'other anti-malware software' started by Kees1958, Apr 3, 2011.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    To clearify some confusion I might have created.

    I am running CHROME with the --safe-plugins switch to contain the plug-ins.

    I am using Adobe Acrobat X (it is sandboxed also, so should be a lot safer)

    I run CHROME with the following setup:

    a) disallow cookies from third party (see picture 1)

    b) only use Chrome internal versions of FLASH and PDF (so they are allways securely sandboxed :)
     

    Attached Files:

    Last edited: Apr 3, 2011
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    These are my easy SAFE ADMIN registry changes. I have added .txt files so you can easliy switch them on or off (in 5th post). This is for Vista/Windows7 users running admin with Home and Home Premium, owners of business and ultimate should use GPEDIT.msc to harden their setup (Windows7 ultimate users can use AppLocker to further enhance their protection). Best for Home Premium is to run as LUA user (but most seem to dislike that).

    Drive_by protection
    a) turn on = Drive_by_deny.txt (save as Drive_by_deny.reg)
    b) turn off = Drive_by_warn.txt

    With Internet Explorer you can't download executables, since I am using CHROME I am ABLE to download, but have to remove the block before running the file (see picture)


    Safer UAC
    a) turn on = Elevate_deny_unisgned.txt (save as to Elevate_deny_unsigned.reg)
    b) turn off = Elevate_warn_unsigned.txt

    What it does: only allows signed programs from save places (Windows and Program Files) to elevate. When you want to install something, just switch this protection off and rght click the file and run as ADMIN
     

    Attached Files:

    Last edited: Apr 3, 2011
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    These are the warnings when you have safe-admin on

    The warning of the drive by protection is self explaining (BLUE), the warning of the unsigned elevate protection is a bit stupid (RED), but hey I did not code it, so blame microsoft.
     

    Attached Files:

    Last edited: Apr 3, 2011
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    How to save the txt files to reg files.

    EDIT. Notepad is not allowed to save reg files to Program Files, save them to the desktop and move them with explorer to a subdirectory in C:\Programs Files\
     

    Attached Files:

    • REG1.png
      REG1.png
      File size:
      138.7 KB
      Views:
      30
    • REG2.png
      REG2.png
      File size:
      101.5 KB
      Views:
      2,941
    Last edited: Apr 3, 2011
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The txt files as promised

    Elevate_deny_unsigned.txt = registry file to make UAC safer running as ADMIN
    Elevate_warn_unsigned.txt = set back to the default

    Drive_by_deny.txt = deny execute downloaded executables (with Chrome)
    Drive_by_warn.txt = set back to default


    Note: because CHROME is located in the Users directory, with Elevate_deny allthough it is a signed programs, UAC will never allow it to elevate, because it is NOT located in Programs Files directory, so a big advantage of forced LUA box on top of Chrome's own policy sandbox
     

    Attached Files:

  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I run Chrome with chrome's own phising filter, Mcfee SiteAdvisor and the Bitdefender traffic light without the slow advanced filter, using Clearcloud DNS services (set on router), so got IP filtering of Chrome, Sunbelt, McFee and Bitdefender to keep me away from risky places.

    Only running WIndows FW two way (see Stem's post) and Hitman Pro on demand that is it


    Before I download a program, I set Drive_by_deny to warn and download the program with IE9, IE tells me it is safe, afterwards check with HMP right click and that is it (got an image backup :)

    I allways run --incognito with Chrome

    regards
     

    Attached Files:

    Last edited: Apr 3, 2011
  7. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Just a small note here - you can also disable read access to third-party cookies as well, via about:flags - definitely works for v10 onwards, did not test previous ones.
     
  8. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    thx for the detailed explanation, I will give it a try :D
     
  9. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    Great topic!

    It is worth remembering that "Drive_by_deny .txt" works like this:

    IE9 = Block Download
    Firefox = Block Download
    Chrome = no blocks, but does not run
    Opera = ? (I believe that works similarly to Chrome)
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Attached Files:

  11. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    The Elevate_warn_unsigned sets "EnableInstallerDetection" to 1, "BehaviorOnFailedVerify" to 1. I had to manually change them back to 0 and 2 respectively.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There's no point in adding the FlashUtil10o_ActiveX.exe to EMET. That's the uninstaller. The plugin is initiated by the web browser process and therefore, all it is required is to add the web browser's process under EMET's protection. In case someone uses Firefox, they also need to add the process that handles plugins. Sorry, but I do not recall the name of that process.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Idea of safe-admin is to put an extra threshold from elevating from UAC's medium rights (LUA) to high rights (Admin). By allowing only allowing signed programs to gain admin rights.

    You can disable this when you want to install a non-signed program. Most non-signed programs run well in Windows virtualisation mode, through the run as invoker fix see microsoft http://technet.microsoft.com/en-us/library/dd638389(WS.10).aspx

    You have to manaually add the program with regedit.exe

    go to the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers and add the possible trouble some program to run virtualised (meaning changes of Windows and Program Files are registry changes are virtualised. Most unsigned programs will work okay this way.

    I have added my other internet facing software (WMPlayer and Windows Life Mail) also, to provide again protection to the admin space
     

    Attached Files:

  14. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    All of these settings work in W7 x64?
     
  15. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Kees, how do you think Safe Admin's protection differ from AppGuard in general level of protection? Do they both provide an equal level of protection for those not intending to use a real-time AV? Do AppGuard and SafeAdmin run smoothly together?
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There's no harm is doing that (pinning to the taskbar, that is). It won't break any functionality, AFAIK.

    You should be able to see it with Process Explorer. The plugins dll should be running under chrome.exe child process, instead of the parent. (The parent runs with medium level (if UAC is enabled/standard user account) and the children with low level.)

    If Chrome's beta version already comes with the protected Flash plugin (sandboxed) (I'm not sure if the stable version does already?), and if that's the only plugin you use, then --safe-plugins would be useless, I guess.
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I looked in "about:" under Chrome and it had the command listed, so I'm thinking that also means it is on. But, I'll look into downloading process explorer today as well.

    @Kees: It should be noted that under Win 7 (x64), you can't save those reg files to the Program Files directory, without changing permissions. I've not done so yet, but just an FYI for anyone following your instructions.


    -edit-

    Already running into problems (this is why I hate security tweaks). @Moonblood: I attempted to run Java so I could see if the --safer-plugins deal was working under Process Explorer. Well, Java crashes every single time without fail, and brings Chrome down with it. Using built in Flash is no issue, but there is no plugin .dll for it under Process Explorer (I'm assuming because it's already sandboxed and the switch, as you say, does nothing). Loving Chrome, hating this tweaking stuff (and we all wonder why the novices don't have enough security, lol).

    P.s, when running Java, Chrome asks me permission to allow it to run (which I do, and it crashes), so I'm guessing that is the --safe-plugin switch at work. All other plugins run fine (Flash, PDF, Silverlight). Only Java crashes.

    -Edit-

    Turning off --safe-plugins allows Java to work again, once allowed in Chrome. So until I can get this figured out, I won't turn it back on. I'm not dealing with broken functionality for slightly more security, lol. I did try to uninstall/reinstall Java again, and then test it with both --safe-plugins on, then off. Same results, Java kills Chrome with safe plugins on, but runs flawless with it off.
     
    Last edited: Apr 3, 2011
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That's unfortunate. I don't have Java installed, so I could never test it myself. I wish that Oracle would work on that security aspect - a sandboxed Java like Adobe Reader or even Chrome's Adobe Flash Player version.
     
  19. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Yeah, as ticked off as the whole thing has made me, it has to be an issue with Java itself. Even Silverlight works just fine with safe plugins enabled. Too bad I can't think of a way to quickly switch it on and off as needed. Really only one website (which unfortunately I can't make members of my family give up) needs Java. So it's a bit of a PITA to deal with this mess over one (maybe a tiny handful of others I'm not thinking of at the moment) website.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hmm.. If all that Java is required for (regarding websites) is just one website, perhaps you could create a specific Chrome profile for accessing that domain without the command switch --safe-plugins, and disable unneeded plugins. Keep a different profile for everything else with --safe-plugins enabled.

    If you name the shortcuts appropriately, your relatives shouldn't have no problems knowing when to use one or the other.

    By the way, using Google Chrome 10 (do not try it with Dev Channel, as there's a bug... I'm not sure about Beta version (didn't test it yet)), you can make use of --host-rules command switch only to allow Chrome to connect to a given domain/given domains. Access to other domains will be blocked. It could be useful for the profile allowing Java (without --safe-plugins.

    You could give a try and see if it's of your liking, and decide whether or not something your relatives could work with.
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @DW426

    When you disable the external plug-ins of flash and adobe and only use the plug-ins of chrome itself (located in the "C:\Users\etc), because they are located in an unsafe place, they won't elevate. So even when chrome own's sandbox should break than it won't elevate to high rights. So running with no --safe-plugins switch would not make a lot of difference. I do not run Java anymore, hardly any site uses it now.

    Regards Kees
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    YEP, at least I had them running on a w7 x64 box
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    As much as you're helping (and I really am appreciating all this information), I'm tempted to just throw the whole thing back under Sandboxie, and allow it to access my entire Chrome profile. It seems for the moment to be the best way to get them off my back, and for me to surf in peace with decent security and full usability. I never could get the safe admin reg tweaks figured out, but I think under Sandboxie they aren't required. Anyway, thanks for trying to help out, Moon and Kees.
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    No problem. In the end, we all need to use what we feel most comfortable with. I'm also pretty sure you'd be providing the same feedback, if it was the otherway around. :thumb:
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Kind of difficult, but Safe-Admin could be considered a poor man's AppGuard V2 on WIndows 7 (on Vista combining Safe Admin with Sully's PGS freebie would in my opinion be stronger than AppGuard V2), AppGuard V3 has some major improvements over V2, so definitely a better choice than safe-admin.


    AppGuard V3 runs well with Safe-Admin tweak (no need to use the drive by protection of Safe-admin)
     
Loading...
Thread Status:
Not open for further replies.