ThreatFire 4.6 custom rules set up tip

Discussion in 'other anti-malware software' started by Kees1958, Sep 16, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    When you have a really simple Vista/Windows (x64) setup with Windows FW and just an AV (like my son's gaming box: Vista FW, MSE, UAC and Norton's UAC tool and Sully's PGS) you could use ThreatFire as an added layer of protection

    ThreatFire is freeware, I assume you use it with UAC on (Vista or Windows 7) or use SURUN (XP) to deal with 95% of the problems when running admin.

    First some precautions see pic
     

    Attached Files:

    • safe.jpg
      safe.jpg
      File size:
      50.2 KB
      Views:
      2,037
    Last edited: Sep 16, 2009
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Next click advanced tools

    Choose tab advanced rule settings and click Custom rule settings,

    Additional precautions see pic
     

    Attached Files:

  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Now we are going to add some additional protection


    Outbound protection

    First we are going to use a default custom rule, only adjust the description to a clear message (see pic 1)
     

    Attached Files:

  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Driveby execute protection


    TF has a really straightforward way of entering custom rules, see pic.

    Now we are going to add an additional rule for the Email and Webbrowsers.

    We want to be alerted when an program execution from the user space is initiated from an internet facing program. Most drive by infection happen this way.

    When you initiated the action yourself it is no point just choose ALLOW:


    Userspace in Vista is C:\Users in XP is C:\Documents and Settings

    Regards
     

    Attached Files:

    Last edited: Sep 16, 2009
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Next we are going to protect the user space part of the registry to prevent malware sneaking in when running LUA or having UAC on board to protect you.

    These are the KEYS which are protected (copy them one by one), keys have an \ at the end: TriggerKeys
    HKEY_CURRENT_USER\Control Panel\don't load\
    HKEY_CURRENT_USER\Software\Classes\*\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\DragDropHandlers\
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\PropertySheetHandlers\
    HKEY_CURRENT_USER\Software\Classes\Drive\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command\
    HKEY_CURRENT_USER\Software\Classes\Folder\shellex\ColumnHandlers\
    HKEY_CURRENT_USER\Software\Classes\Folder\shellex\ContextMenuHandlers\
    HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\
    HKEY_CURRENT_USER\Software\Microsoft\Ctf\LangBarAddin\
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\AboutURLs\
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logon\


    TriggerValues
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinLevel
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Safety Warning Level
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Security_RunActiveXControls
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Security_RunScripts
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Trust Warning Level
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
     

    Attached Files:

    Last edited: Sep 16, 2009
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    see the decription of the previous rule (registry change) in the pic below

    You can also choose to be warned when a screen saver file is saved by an Email or Webbrowser (also a defaulr rule).
     

    Attached Files:

    • done.jpg
      done.jpg
      File size:
      49.9 KB
      Views:
      2,006
    Last edited: Sep 16, 2009
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Also some vulnarable file locations protected from internat facing aps, (change Kevin for your Username)

    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
    C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
    C:\Windows\System32\drivers\etc
    C:\Windows\Tasks|TriggerFolders


    see pic
     

    Attached Files:

  8. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Excellent tutorial there,I pointed many folks to your previous one,it saved me a great deal of effort and time :thumb:
     
  9. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    The only problem I always had with this outbound protection is, that it seems to be impossible with TF to deny the connection but keep the program alive. :p
    Are there any changes with the latest Beta?
    Most often I don't want to kill the program, just deny the internet access.

    Cheers
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No that is still impossible, there is a kill but no deny, so for PDF readers going outbound, that is for instance a problem (Son's favourite x64 PDF reader does that, there are x32 freeware alternatives which don't).
     
  11. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Great thread.But if un-known apps runs,are those rule still available?

    From pics,I guess those rules just expand protective range.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, Kees, there is still one problem. If something tries for outbound, no way to stop it, short of killing that application. This seems rather radiculous to me.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Well you can add another rule which should not pop-up to much


    When any non-interactive process
    excutes a file which looks like an executable from the folder C:\Users,
    except when the source process is a trusted process
    or the originating process is located in the the folder C:\Program Files or C:\Program Files (x86).


    Alternatively you can activate the default rule Launch control (but thi swill generate a lot of pop-ups).
     
  14. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Oh,that is not convenient.If the insecure file which looks like an execution is executed by trust process.The corresponding rule is in vain.

    And TF doesn't support wildcard characters.Setting rules is a little difficult for me.
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep it is inconveniant,

    Also I was not on the x64, I now see the dev team has not implemented the source originating, but only target process folder option, sorry about that :gack:

    ALTERNATIVELY: use PGS on x64 for deny execute SRP of user space and you will prevent all this execution control.
     
  16. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Good information.Thank you:) .
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  18. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I'm pretty sure i used wildcards in TF ...
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You are right, for files there is, for registry there is not
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Nice screenshots and helpful advice on the TF --> CUSTOM RULES..... Keep rollin 'em out please

    Thanks
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Iron file access containment see pic
     

    Attached Files:

  22. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    wuld this rule work for firefox as well and IE and basically every browser? and quick question, why didnt u enable the HOSTS file protection rule?
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    YES

    Host protection is a default rule, only valuable for XP running admin.

    When with Surun on XP you would be warned also. UAC on Vista/Win7 protects the host file by asking for elevation also..
     
  24. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    ok thx, ill add that browser rule then :) but for firefox ther are 2 folders in its appdata folder, do i exclude both the profiles folder and the Mozilla Firefox folder, that has another folder named update within it?

    and what about the double file extension rule, is that worth enabling?
     
    Last edited: Sep 26, 2009
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Exclude Firefox's Appdata at the highest level when possible (subdirectories are included) or add them both. Is the plug-in folder of firefox in the normal Program Files director of FF? (If yes, then FireFox programs Folders exclusion takes care of that).

    Well some AV's download their updates with double extentions, it is a bit dated, but does not do any harm.

    I wonder: you have Mamuto and WinPatrol, why TF, Mamuto is the one with lowest CPU load, TF is more configurable. Both Mamuto and TF make WinPatrol more or less redundant. Why disable UAC?

    Regards Kees
     
Thread Status:
Not open for further replies.