Sana Security Primary Response - Opinions

Good that you were able to get the popup.

 

Just a question. Is it possible to use UltraExplorer (not explorer.exe) to create files?

 

Try. Right click, new file > text document. Then right click this text document and rename as xyz.exe. EQS gives warning. I have not TF installed ATM. Not sure it will detect this behav or not?

 

TF does not alert if you use UltraExplorer to create a file.

It's one step to proving my suspicions: TF alerts in a file COPY operation to sensitive locations, not a create operation. Obviously it's a whole lot more suspicious for programs to copy themselves than to create files.

 

My guess is same. It,s good way to detect worms.

 

Solcroft,

You can easily add file protection to C:\WINDOWS\*.exe files. TF allows the asteric in file protection, just select on which operation (create delete write) you want to be notified.

Regards K

 

Solcroft I disagree with teh fact that I am comparing TF with traditional HIPS in the way you describe.

First:
In the custom rules you can enter the exceptions (like is a system process or trusted process).

Second:
Toni Klein has put together a set of start up locations which normally would stay static/the same.

My experience:
With the "is a system process" exception on the registry startup set of Toni Klein you won't get a pop-up under normal operation, maybe one when installing a program (I can not remember TF popping up with the Toni Klein TF-set I posted). So custom rules can make TF even stronger without losing its intelligence.

Regards Kees

 

TF custom rule are difficult and confusing. Very poor info by its popups. I tried file protection and immediately removed them.

 

Kees,

The thing is, adding autostart entries mostly only happens during new software installation.

Opening msconfig on my computer reveals that I have Returnil, Sandboxie, MSN Messenger, McAfee and BitComet scheduled to autostart, for instance. By adding custom rules and excluding system files, that means TF would alert the user whenever he/she installed the above software, among numerous other things. They are obviously not malware, and it's pointless to flag them.

The other thing to consider is that the majority of your reg entries is already covered by TF! The only difference is that TF also contains inbuilt rules to determine whether the process is adding the autostart entries in a suspicious or malicious manner, so there's really no need to further tweak TF's registry protection.

 

Solcroft,

I understand why you do not need additional registry protection with the virtualisation progs you use. So that is no discussion.

I know CB did protect against the run**** startup entries (shown italic below), the ones you can see with msconfig. When I tested CB Pro (over a year ago). It for sure did not protect against the majority of Toni Klein's startup entries (the ones used by worms and trojans). I am a little surprised TF does now, which is quite good actually.

Funny that I did not notice. This might be because TF checks its internal rules before the custom rules. Would also explain why the Toni Klein set plus except when a system process is so quiet.

How did you check that TF protects against the other entries/values?

Values
HKCU\Control Panel\Desktop\ScreenSaveActive
HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions
HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecute
HKLM\SYSTEM\ControlSet002\Control\Session Manager\BootExecute
HKLM\SYSTEM\ControlSet003\Control\Session Manager\BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path

And registry entries
HKCR\Folder\shellex\ColumnHandlers\
HKCR\ftp\shell\open\command\
HKCR\*\shellex\ContextMenuHandlers\
HKCR\PROTOCOLS\Filter\
HKCU\Software\Microsoft\Command Processor\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\
HKLM\SOFTWARE\Classes\batfile\shell\open\command\
HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\
HKLM\SOFTWARE\Classes\comfile\shell\open\command\
HKLM\SOFTWARE\Classes\exefile\shell\open\command\
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command\
HKLM\SOFTWARE\Classes\piffile\shell\open\command\
HKLM\SOFTWARE\Classes\ShellScrap\shell\open\command\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
HKLM\SOFTWARE\Microsoft\Command Processor\
HKLM\SOFTWARE\Microsoft\Ole\
HKLM\SOFTWARE\Microsoft\Ras\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
HKLM\SOFTWARE\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\
HKLM\SYSTEM\CurrentControlSet\Control\WOW\
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\

Regards Kees

 

To answer your last question first: by trial and error. I test TF rigorously against malware almost on a daily basis, and whenever TF warns and quarantines a malware, you can check the logs and the quarantine area for the very detailed logs on the actions the malware took and what was quarantined. Over time, you slowly learn what TF watches for and what triggers its alerts.

Another thing is that a big portion (almost 50%) of the reg entries you posted are actually not autostart entries at all. They are values that are often attacked by malware and can adversely affect your system security if changed; for instance, malware can alter HKLM\SOFTWARE\Microsoft\Security Center\* to disable Security Center warnings, change HKLM\SOFTWARE\Classes\*\shell\open\command\ to change what programs are used to launch a file (typically this means the malware tries to point file associations to itself), or delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ to render the user unable to boot into Safe Mode.

Last but not least, not having to use custom rules is not a question of what other programs I'm using, but the strong protection TF already provides. What many people do not realize is that TF monitors all actions processes perform, and once TF flags a malware, EVERY change the malware has written to the filesystem and registry is quarantined and reversed. This means that even if there is no specific rule watching for a specific action, it will still be rolled back as long as it was performed by the flagged malware. This is why TF doesn't need a rigorous set of rules watching every possible vulnerable registry and filesystem location and therefore produce a bunch of useless alerts on legit processes, the way a "dumb" HIPS does. A process can write to multiple locations not monitored by TF all it wants, but as soon as it performs a dangerous action that identifies it as malware, it will be terminated and quarantined, along with all those registry changes it had performed.

 

First credit is to Toni Klein. Second startup entries in this context is not limited to autostart, but the softspots which worms and trojans attack, so that is a correct observation of you.

Although it is a subject of discussion I prefer the combo of a Soft/Policy Sandbox with a behavioral blocker over a classical HIPS. It requires low user interaction and a high level of protection. On vista 64 we use Haute Secure plus PRSC (to go back on topic).

Only Online Armor is a bit of an exception due to its white and blacklist and included firewall. Also the (future) option to allow unknow programs without user pop up running with limited rights is also a very user friendly solution. After all running as admin causes 95 percent of the problems.

Regards Kees

 

Good observation Solcroft.

 

Aigle, Solcroft

Just because one part of the statement is true not every thing is true.

Without this custum rule

When any non-interactive process
creates 1|TriggerCount network connections
except when the source process is in the system process list
or the source process is in the trusted process list

ThreatFire flunks against the Trojan Demo of Bufferzone, with the extra custom rule it pops up a warning. In the past I challenged CyberHawk Free against a lot of tests. The outcomes of these tests made me buy Cyberhawk Pro just for the custom rules.

I have not done all the tests again, just copied them into TF Pro. I won't discuss Solcroft's claim that they are useless, because he test malware all the time. To his credit I removed a few custom rules and TF indeed did protect against it in another way. Although Solcroft did not back up his statement with facts, I am open to other suggestions. TopperID and Toni Klein have helped with knowledge on the XP registry, I am not an expert but the extra rules do not produce pop-ups in regular use (as long as you add the exception of system process and trusted processes).

The test above proves at least that it is a wrong conclusion when stating that TF rolls back the changes you do not need extra custom rules.

Regards Kees

 

Hi, folks: I am using PRSC, and eagerly to learn more from members; each time I noticed a fresh posting in this threat, I rushed to click and found NOTHING;NADA; related to it, again, the TF talks. I just wonder can you guys open a new battle field for that matter somewhere out there, your dialogue are informative, but in the wrong channel, I suppose.

 

TF is essentially anti-malware. It works using the same operating principles as a "dumb" HIPS does, but was further designed to flag only malicious software. Flagging a harmless test file is essentially a false positive for TF.

The problem with these kind of test programs that people inevitably use them beyond their intended purpose and pitch them against antivirus, intelligent behavior blockers and other things that are designed to detect only malware. Unfortunately, this then colors their perception of the software, and vendors are forced to add detection for absolutely useless crap like these to avoid complaints from people who don't know better, or live with the public perception that their software is somehow "flawed". In fact, TF does produce an alert on this harmless demo, as shown below. If PRSC managed to restrain itself, then it shows sophisticated rules to avoid FPs on their part, and its silence is actually not a downside at all.

 

Solcroft,

Look at the attched image. I have a C partition with Programs and a D partition with Data. User documents are moved to D:\ So a diiferent result of version of Trojan.

I would not consider sending a text file with your directories a harmless FP. But be free to think so.

 

Well, if that is the case... to reiterate an earlier point, perhaps your expectations would be better served by a "dumb" HIPS that blocks every individual action, including ones performed by these test programs that use sensationalist terms to describe the situation when they do manage to simulate an attack, instead of intelligent behavior blockers that analyze a process to determine if it's actually malware.

 

Solcroft,

Thanks for the advice, but I am quite happy with the Behavioral Blocker + Soft/policty sandbox on every machine. I am not attcking TF I am also happy with it (as with PRSC and A2 IDS).

Regards Kees

 

Point taken.

 

Hi, folks: Now I have felt the intensive heat generated by the conflict between HIPS and behavior blocker; not by you guys' debates, but rather by my own making. I have sunbelt kerio firewall 4.5.916 and TH installed on one pc. The HIPS feature of Kerio keeps popping up alerts re TH's intrusions, in spite of my repeated green lights, alerts are still continuing, off and on again. One quick question though, why would Kerio's HIPS be so sensitive to TH's behavior, but not to another app; PRSC, a behavior blocker incidentally. Is TH more deeper in hooking or some ?