Staying out of risky places

Discussion in 'other anti-malware software' started by Kees1958, May 3, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,


    I am curious how effective staying out of risky places is as a defense strategy. So I have setup my wife's PC (XP Home) as an admin. I have installed CTM and DWv3. Our ISP now also provides mail filtering, so the most likely threatgate will be the browser. I would not start this experiment without a real time AV, when the ISP did not filter our outbound e-mails also (you do not want to surprise friends and contacts with infected mails).

    With CTM, I can goback, DWv3 will paralise any malware downloaded.

    This is the staying out of risky setup

    1. Open DNS through router with basic level filtering at their servers
    2. AVG Linkscanner free with surfprotection
    3. Searching with Google (also filters aout some bad URL's)
    4. IE8 with phising and smartscreen enabled

    I will use Hitman Pro on demand, and on-line webscanners as Panda Active scan and One care for periodical weekly checking.

    I will keep you posted. My wife only does on-line banking and on-line shopping and surfing for things to do, so a typical someone who uses the PC for communicating, information gathering and event shopping, not someone fo rwhom the PC itself is a hobby.

    So security strategy is
    a) staying out of risky places (see above)
    b) reducing attack surface & minimalising impact (DWv3)
    c) have a contingency plan (CTM)

    Regards Kees
     
    Last edited: May 3, 2010
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Re: Stayng out of risky places

    zup Kees!

    is DW really stronger than LUA?
     
  3. adik1337

    adik1337 Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    199
    Re: Stayng out of risky places

    This setup should work just fine bro ... even if your wife go to risky places ;)
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    which of them really prevent access (better) and which of them warn you when already accessed (bad)?
    The rest of your topic seems how to protect afterward your browser - reactive - NOT active.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi, Kees!
    You don't define what a "risky place" is.

    If you mean Porn, Crack, and illegal software sites, I assume your wife doesn't go there!

    But realistically, no matter how you define "risky," users today are more apt to get infected just by initially visiting a "safe" site, or even clicking on links in a search page, where cybercriminals have found vulnerabilities in the hosting server and injected code via i-frame or SQL injection, resulting in the user being redirected to a malicious site with a drive-by download. An early sensational example of this was the Super Bowl stadium site:

    Super Bowl stadium site hacked, seeded with exploits
    February 2nd, 2007
    http://blogs.zdnet.com/security/?p=15
    No one would classify that site as "risky" yet thousands became victims with a single click to find out Super Bowl information.

    Users are also more apt to be fooled by social engineering, than getting hit on a "risky" site:

    Who needs exploits when you have social engineering?
    http://isc.sans.org/diary.html?storyid=8710
    Zbot Social Engineering
    http://isc.sans.org/diary.html?storyid=8731
    In my view, something like this is all the average user really needs, and is what I've recommended for users for years, with great success. "Risky" cannot really be categorized, so, why worry about it?

    Teaching sound policies and procedures, along with your DW or the like, suffices, and all else is excess baggage for the average user, IMHO.


    regards,

    -rich
     
  6. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Well like Rmus has pointed out any site can be infected even so called Safe sites.

    Personally I really don't care if sites are infected or not. With the use of MD and Sandboxie If I want to visit the site I go there regardless. I don't let the fear and paranoia of malware restrict my travels on the internet. I don't run away from malware infected sites like a coward I face it head on and smash it to the ground
     
    Last edited: May 4, 2010
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Haa as allways Rich a very good response

    Correct, I did not specify that, good of you to elaborate. No I do not think she needs to be warned for crack, porn sites tec. I do not expect her to fall for social engineering either.

    These are exactly the type of features I am curious about, Server side intrusions and weaknesses of the client side browser e.g.

    http://www.blackhat.com/presentatio...insecure-features-of-Internet-Explorer-wp.pdf

    The DW logs and or paralised remnants of periodical scan will proof this (I asked my wife to inform me when AVG, Smartscreen, OpenDNS, Google would throw a pop-up). Are these features (beware of the data snatchers huuuuuh) just marketing gizmo or do they provide real protection.

    Regards Kees
     
    Last edited: May 4, 2010
  8. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Kees have you ever tried Sandboxie? Sandboxie has been put through the grinder and tested by many wilders members here. once you configure it it will be easy for your wife to use and you won't have to worry about analyzing DW popups AVG and google popups etc to see if they are real security threats or just marketing gizmo's all you do is simply empty the sandbox and all is good.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Okay for a support specialist these are really awkard questions, given the concept of these mechanismens. Problably something is lost in translation. So maybe this helps to explain

    Open DNS = server side = prevent

    Google = server side = prevent

    AVG Linkscanner = adds rating to information cached by Google, so your are only processing Googles data combined with actual LS info = prevent
    Exploit shield is when page loads

    IE phising/smartscreen prevent when the page loads =
    Smartscreen download checker before download starts
    ( to give you an idea -http://www.youtube.com/watch?v=O94v1MdMcxk- )

    Given the nature of CTM and me calling it contingency, we agree on this. Since I only mentioned DW for reducing attack surface and threat containment (reducing impact). Again I am totally missing the point here you want to make, so please elaborate/explain.

    Kees
     
    Last edited by a moderator: May 4, 2010
  10. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Sounds like you got a good plan Kees :thumb:

    But,much like arran said,I'm not gonna let the fear and paranoia of malware restrict my travels on the internet.I've gone everywhere and in the end,when it's time for me to goto sleep for the night,my PC is just as clean as it was when I woke up for the new day. Waay too many people here worry too much,and have security paranoia going on.

    If you truelly think out what you want to accomplish in your security setup,it's easy and your golden to surf.

    Just some random thoughts of mine :cool:
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No I tried SBIE in the past. The advantage of DW is that it issues near zero pop-ups and the contained downloads are on the real file system. So she does not need to know about DW, the concept is transparent.

    When you move something out of the sandbox, SBIE won't protect you any more. That was the whole idea of this test (don't mind infections, DW contains them).

    Besides SBIE is difficult to use for someone e-mailing a lot and saving and sharing attachments (e,g, pictures, music), a permanent mail sandbox is no solution (you want to use the attachments out of the sandbox) A tremporary blows the mails after clearing the sandbox.

    Another reason why SBIE is nothing for her is the fact that besides her day time job she is a aerobics/spinning teacher (few lessons a week). She likes to setup her own music, so she buys a lot of on-line songs. When you download a zip file the Digital Rights are downloaded at first play. Try to make this work with SBIE.

    SBIE would be more suited for me to use on my play PC. I have a lifetime lisence of GeSWall, using the redirect option offers the same functionality as SBIE (GW offers virtualisation and policy containment). I use it to Sandbox Chromium. With only one application Sandboxed GeSWall is okay (SBIE is much more effective in terms of performance when redirecting, when you use redirect to much at GW it will slow own your PC). I also have a lisence of Bufferzone, but I am not using it either.
     
    Last edited: May 4, 2010
  12. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Funny you mention this part.

    I try Sandboxie every now and then,and while it's very powerful,I always end up goin back to Geswall or Defensewall. I cant count how many times I've lost bookmarks because of Sandboxie :gack:,among other items I wanted to keep.
     
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    But did you not know that you can force anything inside a certain folder which is saved to your OS to run in sandboxie? all you need to do is to have a folder on your desktop called say downloads for example and configure your browser and email client to download all files to that folder and any thing in that folder like songs etc will be run in sandboxie.







    Lost book marks? but sandboxies configurations can allow access to browser bookmarks.
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Interesting setup. I would also consider using Spybot SD or Spywareblaster for browser blacklist capabilities or a hosts file, which usually also block ads which is nice with all the malware served through ads lately :)
     
  15. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Spybot SD or Spywareblaster or hosts file can have a lot of false positives.
    FF ad block plus or ad muncher is way better. however this thread isn't about blocking ad's
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Arran,

    When she receives photo's she puts them neatly into a directory, next she may want to apply red-eye reduction or crop the picture a little. How would you achieve that with no hassle with an application virtualisation sandbox. When you sandbox a DRM song you will lose the playing rights. It is okay, I am not discussing strenght of SBIE, just practicalities for her to use it. For these type of users Application Virtualisation Sandboxes in general are not as suited as policy containment sandboxes.

    Regards Kees
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    BoerenkoolMetWorst,

    On my play PC I can see that when I use FireFox portable in stead of chrome (with --safe-plugins switch) , that GeSWall blocks or redirects a lot of disk related acivity of flashads. Problem a lot of these ads run through third party services, so the web site owner has no control over it. Also a lot of people do not know how to manage their flash settings (that it i sven possible is often unknown), so flash/javscript ads are a real pain.

    So I whole heartedly agree with ads as a source. I have read a lot about IE8 becoming sluggish when using IP blocking. It is my impression (may be based on old experience, not relevant anymore) that those programs were great at the time of IE6. IE8 for instance allows control over Active X (allow only signed Active X etc) and better cookie handling. So what would be the benefit sof freeware versions of Spybot, Spyware blaster

    Regards Kees
     
  18. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Excuse me... If Im running under LUA is Geswall redundant?
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    GeSWall had some issues with LUA in the past. I would opt for Surun plus GeSWall while GW running admin (also the server.exe in windows).

    GeSWall protects against proces modification, user space registry etc.

    You will get a stronger than LUA with GW
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    well it seems this thread has moved on from visiting risky websites to saved files on your OS, but since how you are the OP its ok with me.

    The simple solution is to Sandbox the program you open image and video files with. For example you use fast stone to view and edit image files and you use zoom player to watch video files, all you do is force fast stone and zoom player to run in sandboxie and all your files that fast stone and zoom player opens runs in sandboxie.

    wrong thread dude.
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Arran,

    How would you deal DRM issues within Sandboxie? I would need LimeWire, WMP, Internet Explorer, Outlook all in sandbox.

    She receives e-mails with pictures and music from friends. How do I split pictures from music into the DRM Music sandbox and the Image Sandbox (like mentioned) with red eye reduction, a program to create photobooks (and print them remotely by uploading through a website servide), so I would need IE also in this sandbox..

    Same overlap problem will I have with her mobile phone, synchronising with Outlook, synchronising internet bookmarks, pictures and movies and songs.

    Are you still with me :) A virtualisation sandbox is just not fit for this type of usage. DefenseWall runs out of the box transparently (only excluding DRM driectory from update protection by Untrusted). She uses her PC without knowing DW is there to protect.

    Regards Kees
     
    Last edited: May 4, 2010
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049

    HI Kees

    I run outlook sandboxed all the time. Works great. Also Netflix streaming uses silverlight and has some DRM function. I ran it once unsandboxed, so silverlight could install, and now I run it sandboxed all the time, and it works fine.

    Pete
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I install silverlight into the sandbox and watch netflix movies from there without issue. Don't do any DRM music and such though. I do the same thing with flash and other similar items.

    Sul.
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As far as I remember

    Music DRM (every first play rights are downloaded) is a real pain for sandboxing, you either need to install everything in the sandbox or outside.

    Through mail and through her Mobile phone sync she receives movies, pictures and music. Small phone movies are kept as is, but pictures are manipulated (red eye, cropping) and put in a photo book which is printed through upload. So I have 5 programs needing access to the same data.

    Installing everything in the sandbox overshoots its goal, when you consider that the playlists of WMP (beside paid IE downloads) also include music received free with LimeWire (P2P), Outlook, news groups, USB (her mobile phone link). This usage implies that 6 programs need access to the same data.

    Any one having a user friendly solution for this which is still safe, do not hesitate to post.

    When you consider that DefenseWall has resource protection, meaning not only is trusted seperated from untrusted, but untrusted is seperated from untrusted as well, without any user intervention. Defensewall due to its nature stores untrusted files in the phisical system, making it transparent and bypassing the access and DRM problem. On top of that DW protects against keyloggers (no need to clear a sandbox). So the policy containment solution is much easier to use and implement (as said out of teh box settings with one adoption).

    Regards Kees
     
  25. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    i have seen this video now - ok, its 1 year old and both sides improved.
    the important info for me was that IE8 blocks the files - it was said maybe
    OneCare, WinDefender or Anti-Malicious Tool did - so not IE8 itself.
    also is visible that the action was blocked (see info bar) but the script
    which minimized the browser windows was executed.
    and THAT is my purpose i try to explain - prevent hitting maliscious
    sites or scripts the browser. script filter, ad filter.
    and those mechanisms (bad activex requests) only work with internet explorer,
    not in firefox, not in opera.

    OpenDNS, HOST - deny access to websites, ad muncher can filter ads and scripts
    Google for safe browsing - not really, but ok - (at least user click it)

    CTM = Comodo Time Machine?
    I never used it (personal comodo issue here) - is is comparable to acronis trueimage
    or other full featured backup/imaging?
    # i dont think so -> http://www.computerguard.de/show_post.php?p=25703
    (german article of subset)

    BTW i put downloads into a sandbox - in details: the pre-set download folder
    for all is a folder within a sandbox - so any action done there ends up in the
    (limited) sandbox again.

    ofc i dont surf in a sandbox - i would raise my security for firefox but that
    browser is secured other methods.


    hth
     
    Last edited by a moderator: May 4, 2010
Thread Status:
Not open for further replies.