The irrelevance of Applocker / relevance of SAFE admin tweaks

Is your OS Vista or Windows 7? I'm wondering if the Norton UAC Tool is compatible with Windows 7 even though I have heard it's not specifically just for Vista...

 

It's only compatible with Vista.

 

I've found a way to use Comodo Internet Security as a poor man's SRP/AppLocker with no or very little maintenance required. It works on Windows 7 x64 and should work on other Windows versions as well. If anyone is interested, please indicate so, and I'll do a writeup on the details.

 

I'm listening

 

Ok . I'll write it within the next few days.

 

I'm interested as well. I looked at using Malware Defender as a similar poor-man's SRP but it couldn't function exactly in the way needed, despite some assistance from Xiaolin.

 

Using Comodo Internet Security as an anti-executable

 

This looks interesting. How does it affect downloadable links in your web mail? Can you still execute files from the desktop?

 

Downloads are unrestricted. For best results, combine it with LUA.

More pointers and discussions here:
http://forums.techwatch.com.au/viewtopic.php?t=5871

 

Nope the 1806 trick prohibits execution, see https://www.wilderssecurity.com/showthread.php?t=262475 and https://www.wilderssecurity.com/showthread.php?t=261346

 

Yes when you remove the block, see https://www.wilderssecurity.com/showpost.php?p=1595882&postcount=6

 

Vista 32 business

 

1806 trick is a registery hack, how is it relevant to SRP as mentioned in http://www.mechbgon.com/srp/ ?

 

Kee's your idea sounds very good but I'm fuzzy on understanding it.

Does Vista 32bit have applocker? That's what I'm running.

I have tried LUA about 4 yeras ago and I had problems with certain programs working so I abandoned it. I will try again.

Referring to the link in your quote. Are you saying you can right click and unblock while running LUA or Admin? The link shows internet explorer being used. I use Firefox and Opera. Would this still work the same?

 

To restrict downloads

 

Vista 32 does not have applocker. But you can use the regfile BLOCK_ON and OFF in https://www.wilderssecurity.com/showthread.php?t=262475 .

Franklin tested it with Firefox. Firefox cancels the sownload, but leaves a zero bytes file https://www.wilderssecurity.com/showpost.php?p=1595988&postcount=13.

The right click unblock works when running ADMIN with UAC (full), you can download Norton's UAC Tool to remember UAC choices http://www.symantec.com/norton/theme.jsp?themeid=labs_uac&header=0&depthpath=0

 

All browsers "should" add what is known as a Zone.Identifier onto files downloaded from the web if the option is set to do so. Actually, you can enable this on the intranet as well. The files that will be tagged are in the same filetype list used to deny execution. This is why FF and Chrome work with this 1806 tweak.

Removing that Zone.Identifier is possible with tools obviously. When you use the 'unblock' feature, an obfuscated registry binary value is modfied to reflect this. Interestingly if you copy a file and then unblock it, then delete it, then copy the file again, then unblock it again, the obfuscated registry value is changed, but it uses the same key instead of creating a new one. I thought that was strange.

Anyway, I would not mind using this perhaps, but I am not about to right click > properties > unblock any time I want to execute something. There are two methods I have working now that will at least read the Zone.Identifier in code. The method to change it to an 'unblocked' state is not as clean as I would like, so further research ensues. It looks like it will be possible though to have a context menu option to unblock. I am wondering if there isn't also a method to do the reverse, to add a block on it. Who knows where this stuff might go... I sure don't

Sul.

 

@Kees1958

Thanks for the links. I have Vista Ultimate 32bit. I forgot the Ultimate part.

Reading this thread made me really re-think the way I have been running things. Thanks to all of you.

 

So you really are going to make the things Kees1958 outlined available in a easy to use program.

Do I understand you well enough that you are surpised in a pleasant way the possibility to manage this via right click options?

I am hoping you will be able to create this SAFE-admin program. I would surely use it. I am considering an ad hoc virtualisation solution as RX SandboxIE or Evalaze Opera with it for browsing the dark side of the internet. Chrome/Iron would be used for normal browsing (with the free PrevX safe on-line of which I have a download allready).

I have tested RX SandboxIE (with IE) and it loads fast, still in beta though. I also tried Evalaze Opera, it loads in three secs cold (only marginally faster at second start). I am leaning to thin-app like specials for a browser. I like the exe-VM specific browser solution (no drivers installed or stuff during normal operation).

thx

 

Here is a tidbit for you Firefox users regarding the ZoneIdentifier. It also has some good notes about what happens in general.

http://blog.case.edu/bes7/

Sul.

 

You want to see if a file has an ADS (alternate data stream) and if it does, if it has the ZoneTransfer tag set? This is a method without having to get a 3rd party tool.

Save as some-name.bat (drop object onto the batch file)

Code:

@Echo Off

:: check the first parameter (the dropped item)
IF "%~1"=="" GOTO xEnd
:: a %~1 removes any quotes - %1 is the first parameter (ie. what you drop onto the batch file)

IF NOT "%~2"=="" GOTO xEnd
:: check to be sure there isn't a 2nd parameter (%2) and if so, exit (this happens if you drop two items onto the batch file)

notepad.exe "%~f1:Zone.Identifier"
:: this uses notepad to open the dropped file
:: using %~ again, strips quotes, using the f means to use a fully qualified path
:: so "%~f1" = a quoted fully qualified path of the first parameter %1, which is the file dropped onto the batch file
:: notepad is simply opening the ADS.. pretty nifty trick

pause
exit



:xEnd
Echo. Ending...
Pause
Exit

I even commented it for you

Note that if you drop something without an ADS or specifically the tag of ZoneTransfer, the notepad will ask you if you want to create it, so just cancel.

You can also use the dir command with the /r switch to see it if an ADS exists, like this (drop object onto the batch file)

Code:

@Echo Off

:: check the first parameter (the dropped item)
IF "%~1"=="" GOTO xEnd

IF NOT "%~2"=="" GOTO xEnd

dir "%~f1" /r
pause
exit

:xEnd
Echo. Ending...
Pause
Exit

Sul.

 

*stabs GOTO repeatedly*

DIE GOTO DIE

 

Ahh wel, goto-less does a while for old cases like Sul and me to sink in

 

It is fortunate that we have a choice in the matter Kees. I can echo your remarks and have set my mind to direct my efforts more in line with todays languages if I have the time. I do live in a ctty, erm, I mean city after all.

Sul.

 

I've never understood the fuss over this 1806 tweak. This is something that comes as a default setting and much better if you ask me. A file is downloaded, the unblock button is added to the properties and if you want to run the file you don't need to select the unblock button. When the file is clicked to launch, before it can run a warning dialog comes up asking to run the file and selecting run launches the file with the unblock button still intact. Why aren't people just using the default setting for this? It's more conveniant and just as safe if not more because the unblock button is still there on the stored downloaded file. Am I missing something with this tweak? The only benefit I can see is that it can prevent all downloads from ever reaching the system but this can be set also in the options of the browser can't it?