The ErikAlbert Approach - A test

How do you mean? It functions as designed in regard to its purpose to block non-whitelisted executables.

/C.

 

No, No its, not like this. I have proof( at least two samples). Wana try?

 

No I don't wana try but would be interested in knowing (a) if this is how most bad things work ? or is it just of minority interest ? has it actually happened ? and how are these remnants left on E: activated ?

Essentially what I would like to know is whether this is just a jolly good idea that amuses some theoreticians or a serious everyday issue. I can live with the former.

 

Do you want to see a picture of Anna Kornikova naked ?

well we all know that we shouldn't open attachments from strangers but it can't hurt to take a peak can it ?

I think all security softwares fail this way eventually - unless the user is allowed no input. So there is nothing wrong with the way AE works until the user gets sloppy and allows a new program to run and even though it is pure evil AE will let it run - or perhaps I have misunderstand and AE can always tell the difference between good and bad ?

 

Erm....no....one of the reasons, I don't get into trouble with my computers is that I leave the "trying" to the people who know what they are doing.

 

It shouldn't be difficult to code malware which reads/writes the partition tables like KillDisk does. Instead of writing garbage, you unlock/unhide the "locked" partitions.

Couldn't agree more. That's why you need to control the data flow. This is done with access permissions, HIPS sandboxes, firewalls, etc.

You double click the drive (default action to open a drive/folder) and the autorun.inf calls the correct executable.
Actually, worms spreading through removable drives are a real threat.

AE works with the default-deny concept. So, if you receive Anna Kornikova.gif.exe, AE would show a prompt saying it has denied access/execution rights to that file (a spoofed executable)
To install something you need to open AE, enter the password and disable its protection, then rescan to whitelist all the executables created.

 

I have two samples, blackday trojan n wiking worm. If I execute them from partition C, they overwrite so many exe files on D, E n F partition on my system and convert all of these exes into their copies.

Now if u reboot and clean C partition, u will still have a lot of malware copies on D, E or F partitions. Ofcourse these copies will not execute themselves but they just need a mouse click.

 

Thanks the copies that will not execute themselves don't worry me that much.
I am unlikely to click. If I did presumably C: would become contaminated again until reboot ? looks like it would help then to not have any exe on D: E .... ?

 

Stop sweating, here is secure way to prevent any access to the 2nd hard drive and to disable it and/or turn it off. Devcon will do this. You can run it again to turn it back on. You can even run it by scheduler to turn on and off at a certain time. It's dos but i show you easy way how to use it for hard drives. Here's how you do it.

http://download.microsoft.com/download/1/1/f/11f7dd10-272d-4cd2-896f-9ce67f3e0240/devcon.exe

unpack it to c:\devcon - goto c:\devcon\i386 folder in a cmd.exe dos box.

goto Device Manager and note the names of your hard drives(Hardware/Disk Drives), you want to disable or remove. No long names to remember you just need to know a part of the hard drive name eg. WD800JB-0000028_USB_DEVICE is the whole name, you just have to remember a few letters of the name like in this case WD800. Now do this...

On the command line in the folder of devcon\i386

To Disable your drive type devcon /disable *WDC800*

To Remove your drive type devcon /remove *WDC800*

You can even do both then remove your drive. Its gone in a flash.

To get the drive(s) back all you have to do is this.

type devcon /rescan

You can now make a batch files and 2 shortcuts on your desktop to turn on and off when you want or throw the batch file into the task scheduler to turn on/off at a certain time. A good thing to do is if you have an internal or external device for backups, is to run a batch to turn off the drive after you backed up and on again before you do.

Note: *WDC800* is just an example it will be different names for your drives. You just need to note down 3-4 letters of that drive as the name for it to work.

 

Malware samples( viruses, worms, trojans, rootkits etc) that I have used so far, all of them need a mouse click to execute either directy or via an autorun etc. Is there a malware that executes itself without any click?

Anyone please?

 

Thanks for the test and that's not good.
Maybe we, including me, are using the wrong option : "Total Lock".

What if we use the option : "Hide Contents and Lock"
In that case you have to use this option for ALL folders of partition[E:]
You can't use that option for the complete partition[E:]

With this option,
- you can't create new files (system.exe and autorun.inf are new files)
- you can see the folders, but you can't open the folders.

Check also the icon, if security is on, before you do the test. I hope it was on during the first test.


From support (long ago), I got this remark :

If the option "Hide contents and Lock" doesn't work, then PC Security is useless. Another security software that doesn't do its job.

 

As you are playing and a user of Prosecurity have you considered using the file and folder protection in that.

I've been playing with it .... but could very quickly make the system unusable....

Devcon seems like a nice and simple solution

 

I assume you are talking about PC Security and not ProSecurity.
PC Security only has to lock/unlock my data partition, I don't use the rest. I could have used any other similar software, but PS was the most convenient one and that part works properly since I installed it.
If Peter's tests are negative, DevCon will probably be my second choice.
DefenseWall can protect my data partition also, regarding untrusted applications, just like SandboxIE, but it's not convenient enough. I'm lazy and I count my mouse-clicks and actions, when I have to do something regularly.

 

Thanks Peter, I'm very interested ...

 

LOL. I investigated this myself and you are right, my both harddisks have the same name and I checked several ID's.

 

lol you don't make it easy hehe, no problem. even if you have the same generic hardware ids, there is unique id called the instance id for every seperate device in enum in the regiistry you can latch onto. You only have to do this once ever to get and save it in a batch file as i described.

Goto regedit and see all your hardware instance ids, there you will see your drives listed under one key.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE] (yes IDE of all things)

There will be a unique string there. Even if that doesnt do it theres always Enum/Storage/Volume

So any unique short string that you can narrow down to 3-4 letters anywhere in the string, doesn't have to be at the start, and the * in the command complete the rest of the 1 mile long string for you.

watch your drive disappear from device manager along with the drive letter, it physically removed.

if you remove it and you restart plug and play will find it again this maybe fine for your purposes but if you dont want it to come back on restart then use disable command.

*i wrongly stated the command for remove i typed devcon /disable it should of been devcon /remove
to disable devcon /disable *hard drive string*
to remove devcon /remove *hard drive string*
to get back drives quick whether you disabled or removed them.
type devcon /rescan

Heres a good example

Under enum i have a drive string DiskWDC_WD4000YR-01PLB0_____________________01.06A01

01.06A01 is the revision and unique. i type devcon /remove *01.06A01* and the drive is gone.

more uniqueness under the drive strings is a unique subkey with unique values like friendlyname

DiskWDC_WD4000YR-01PLB0_____________________01.06A01\4&f915a38&0&0.4.0

In fact if you instead goto Device Manager and dbl click on a drive and then on Details you straight away see the Instance Id in a combo box this maybe easier that going down the registry path.

 

Drive-bys
Once you have the dropper/downloaded "confined", it needs a double-click to execute.

 

No I'm talking about pro security.

DEvcon or Defensewall are probably the easy way to do this