Simplicity fun setup

Discussion in 'other anti-malware software' started by Kees1958, May 12, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    XP Pro SP3

    - Windows FW (sort of free)
    - Surun (free) = LUA smart (link http://kay-bruns.de/wp/software/surun/#8)
    - Trust-No-Exe (free) = SRP smart (link http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm)
    - Edgeguard Solo Beta (free) = extra contained threatgates (link http://www.blueridgenetworks.com/forms/es_register.php)
    - Set P2P, mail, IM, download, temp IE, recycler directories to limited user with XP Pro's SRP
    - Avira 9, high heuristics, check on all file types, only at write, safer driver load, optimised scan (also rootkits)
    - Keyscrambler free for IE8 (default banking/shopping browser), Chrome's internal sandbox (using Chromium for daily browsing)
    [EDIT]
    - Arrovax shield freebie (old, but still works, tracking cookies disabled, becasue they are not updated) to provide some additional user space protection
    - Rising PC doctor Free (IE frame protection and USB main reason)

    Two essential utilities for ACL http://www.fajo.de/portal/index.php?lang=en&option=com_frontpage&Itemid=1 for additional NTFS access policy management (missing security tab for files in XP Home). And ACLView, download from http://web.archive.org/web/20071026...hp?f=data/en/download&img=images/baner01e.gif)


    Used the above to gibe surunner plus current user access to diskcleaner and setting restore points/go back (C:]\windows\system32\repair), plus defraggler, OSAm and Panda anti-rootkit. Can use Windows recovery to 'undo'user space intrusions now plus repair capabilities of arrovax shield and Rising PC doctor. :thumb:

    What do you think?
    a) does it feel responsive? yes
    b) has it low memory usage? yes
    c) low CPU time usage? yes
    d) low I/O overhead? yes
    e) safe? :D
     
    Last edited: May 13, 2009
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Why use SuRun and limited user SRP at same time?? Why Edgeguard instead of AppGuard, especially if this is all ran from admin? The could be more to mention on SRP. You have not mentioned sandboxie also as free and fun ;)

    I have a feeling this thread could start some interesting ideas..

    Sul.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I know you can make XP Home an XP Pro, https://www.wilderssecurity.com/showthread.php?t=200772 I know Tlu, Mrkvonic, You and Lucy are active with that. Just wanted so see whether I could find a lazy Freeware alternative. Possibly also for people who like LUA/SRP/ACL but do not dare to change their XP configuration as describesd in TLU's thread.

    Why SRP? simply because I want some programs (like LimeWire, Messenger, Outlook Express) and their downloaded data directories always contained. SO I did it for two reasons:
    a) I did not know what file extensions Surun covered (Trust-No-Exe also only monitors a few). So when Surun provides all extentions of SRP, I can drop this.
    b) I like the silent containment of SRP, which can be evaded by the user through Surun for these specific aps.


    Why Edguard in stead of Appguard: Appguard is paid, EdgeGuard is free. Another reeason is that EdgeGuard does not require terminal services to run, which reduces a lot of disk I/O (for some reason a few services keep on accessing the disk when terminal services is started). Therefore I needed Trust-No_exe to prevent executions from the user space.

    Note you have to set most of Avira's Apps to run as admin, also have to add C:\Documents and Settings\All Users\Application Data\Avira in TNE as a directory where executables are allowed to start (otherwise update wont work).

    Regards Kees
     
    Last edited: May 13, 2009
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    "Security setups which reduce the attack surface are boring, they even deny you the BASIC (user) RIGHTS to make wrong decisions" :D
     
  5. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Can you tell me how this can be done in XP Pro? Thanks
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Start ==> Run ==> secpol.msc

    See http://support.microsoft.com/kb/324036

    In IE you can find the location of your temporary internet dicrectories, in Outlook Express you will find them Options, Maintenance, Archive Map, you r P2P program will problably have a standard (limewire users limewire).

    Google for "Securing Windows XP" (Gaullaume Kaddoch), see page 11 at the bottom, Another source of interest is Microsofts "Windows XP Pro SP2 Security Configuration Guide 3.0", both are PDF's so I can not upload them.

    Regards Kees
     
  7. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Ahh thanks Kees as always :D

    Running surun atm so I think I may forego the reg tweak since by default applications are set to run under surun supervision. Good info nonetheless :D
     
  8. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    I have never been good in keeping secret, and that is going worse as I get older.

    So, Sul, please, excuse me for this terrible sin ;) :

    Sul is about to release a beta version of a free tool, which handles SRP, for admin or for LUA. You will not have anymore to use M$ tool or make a hazardous workaround.

    I guess the lazy one will have a simple and fun setup!
     
  9. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    ... and that would be me!! yey!
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Is "someone" going to be beaten up?

    :D
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @Lucy,

    I have PM email with Sul on sharing ideas and examples, he did not mention it so you problably blown a scoop . . . :eek:


    @All
    Because Kafu.exe, Browser Hijjack Retailitor and Arrovax all do not completely cover the startup entries in the user space of the registry I have removed the rights of the current user of some HKU entries

    Removed create subkey and set value with regedit for
    ( when = created is mentioned, that key did not exist and I have added it first)

    HKEY_CURRENT_USER\Control Panel\don't load\

    HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\
    HKEY_CURRENT_USER\Software\Microsoft\Ctf\LangBarAddin\ = created

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\fileexts\.exe = created
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\

    HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ = created
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ = created
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ = created

    These rights were allready removed (maby by SURUN?)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\


    HKU keys covered by Arrovax, so omited
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask plus all search and URL page references

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logon\

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Network\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    HKEY_CURRENT_USER\Software\Classes\*\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\DragDropHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\PropertySheetHandlers\
    HKEY_CURRENT_USER\Software\Classes\Drive\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command\
    HKEY_CURRENT_USER\Software\Classes\Folder\shellex\ColumnHandlers\
    HKEY_CURRENT_USER\Software\Classes\Folder\shellex\ContextMenuHandlers\


    Regards Kees

    NB1. When you make these changes, be sure to set a restore point first and keep a text file which describes in detail what you have done, might you want to undo it later :D

    NB2. Rising PC dDoctor has got a LSP fix option
     
    Last edited: May 13, 2009
  12. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    I certainly hope not!
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Lucy, I wonder as a kid how excited you are before christmas or birthday lol. Ever sneak a peak at presents :D

    We have been working on this for some time now, and it nears the end from alpha to beta. A little more yet. But I am working 7days a week ATM, so it crawls like slug. But very soon.

    Sul.
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    We can only thank you for your efforts! It sure will make the task of applying SRP a lot easier!
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I ran some quick tests and I really like Surun's flexibility. Trust No Exe looks at executable code in memory. This is stronger than SRP, after EXpOff had made a PoC which broke SRP in XP (= he is with Mickesoft now, LUA of Vista is much better so do not be afraid), I always was reluctant to build my security around SRP, but guess what:THIS FUN SET UP WILL REPLACE GeSWALL.

    So I diitched the regedit workaround of stripping rights of the user and the old crippled Avorax Shield and used a life time lisence of Malware Defender to replace it.

    Malware Defender now defends user space file access (task scheduler, host file and program autostart entries) and I made a registry group of all by Xiaolin provoded default Registry protection of autostarts, network, system and four of the guys from ThreatFire (sorry Xiaolin can't tell you, promised PC Tools DJames) and simple outbound protection plus application protection on direct disk access, kernel objects, direct disk access (since EdgeGuard does not protect against it) and system shutdown.

    I must say it is the lightest and strongest deny setup I ever have configured (ven EQS, Comodo's D+ could not match this), with so few pop-ups.
    :thumb: :thumb: :thumb: sometimes it is good to play, stimulates your out of the box thinking. Aslo thx to Stem who helped me configure my router, with his excellent ARP flow of event examples!

    Regards from a really happy Kees

    Note I also got an invitation of Avira to test new behavioral blocker, I will pass this one. In future I might check out on Panda when it comes out of beta.
     
    Last edited: May 13, 2009
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Yes, like we couldn't guess it already :rolleyes:
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I only use it as a simple application network access firewall, protect files in user space and registry entries of user space (simular which DefenseWall defends besides HKLM). Comodo V3.5 missed some user space registry entries maybe new version has caught up. Luckily you have Sandboxie to protect you.
     
    Last edited: May 14, 2009
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I will when time machine gets out of public beta, meaning the official release version 4.1xx :blink:
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Decided to test ride the Avira Beta. Reason is I wanted to complete the fun setup with freeware only. So few icons in the system tray of my desktop (XP Pro SP3 E5200@3,06Ghz - 2 GBRAM)

    - Windows FW (not visible)
    - Surun (not visible)
    - Trust-No-Exe (not visible)
    - EdgeGuard Solo (visible)
    - Avira Free beta (visible), secure load, rootkit check for scan, optimised scan. unattended heal (quarantaine repair delete), set heuristics high, for all files on write only, proactive on medium
    - Keyscrambler free for IE (not visible)
    - ScriptDefender (not visible)

    Browsing
    - Through OpenDNS set in router
    - IE8 (phising check disabled, since it is done on OpenDNS servers, XSS filter enabled) for online banking and shopping
    - Iron latest with addblock (and its internal sandboxed rendering engine) for daily browsing -incognito mode

    On-demand
    - OSAM
    - Panda AntiRootkit

    Zero layer defense
    - External Harddisk off line with paragon Free for image backup, Syncback for data backup
    - Linksys D635 router: Nat/SPI/Limited DPI FireWall with Lan partitioned (clients can not access each other), WPA2-AES, Mac Address Control Network filter (only our MAC addresses may bind to Router) with static IP's allowing only 5 internal IP's go through router (both in and out), inbound filter excluding our internal IP addresses to go in, ARP, DDos and Flood attack prevention, SSID hidden, WL clients wanting to add themselves to the LAN also need a PIN. Compensated this security overhead by fiddling with Quality Of Service Engine to recover full bandwith (typical Ping Time within NL < 8 Ms - !0Mbs download)

    Regards Kees
     

    Attached Files:

    Last edited: May 14, 2009
Loading...
Thread Status:
Not open for further replies.