Threatfire custom rules and Registry

Discussion in 'other anti-malware software' started by Joeythedude, Apr 8, 2009.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Hi

    I have been looking at custom rules in Threatfire , and esp Kees1958 excellent posts.:)

    I'm wondering if this rule would work , and I don't know how to test it.

    When an email program or web browser
    tries to write to the registry
    except when the source process is in the system process list
    or the source process is in the trusted process list

    I didn't specify any registry keys , but the rule was created anyway ?

    Kees have you tried this ?
     
  2. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Offtopic, sorry: AVGIS inclused ID Protection wich is a behaviour blocker - have u disabled that or do you run it alongside TF? Very interrested in your reasons.
     
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Hi GR - no worries

    Yes I run them both without any problem , need to include both apps in the others exclude files though.

    I like the way the AVG IDS lets you know when a browser starts downloading something , its very discreet I guess is the word , just a tiny pop-up saying
    .temp file created in temp directory.

    So I think that would be handy to trace an unexpected file download.

    It also gives a nice summary of the running processes, with a threat indicator , and good desc.

    The main AVG interface is much less impressive. Still not easy to turn the Resident shield on & off , firewall is much more confusing to set than before.

    TF is great for the custom rules and for spotting odd behaviuor. For example
    I ran a MOD program to modify a game that I had , and it warned me that a "process injection" had taken place.
    I was well impressed with that.

    So I'd keep TF in any setup.

    I have a licence for KIS 2009 , so debating - daily :) - whether to move AVG out or not.

    Hope this answers your question a little , please ask more if you want.

    J
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep for Chrome it works, the guys ofTF seem to have included Internet Explorer into the trusted list or something (some had issues that OE was quarantained). Try explictely specifying HKLM and HKU (in stead of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER).

    see https://www.wilderssecurity.com/showpost.php?p=1413325&postcount=23

    Note that you should add Chrome and your P2P programs (e.g. LimeWire) to the list of E-mail and Webbrowsers.

    Regards Kees
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    AVG is basically Primary Response Safe Connect. You can obtain the same with TF when using this custom rule https://www.wilderssecurity.com/showpost.php?p=1413330&postcount=24

    When you are happy with your setup leave at it is, but by adding Chromium (with it sinternal sandbox) and the TF extra rules, you got a double check (Internal sandbox provides policy containment for the rendering engine, TF watches Chromium main application). It should be as safe as FF with no script, only enjoying the full functionality.

    With the two above rules you could use Kav and TF as the best of breed options (KAV better than AVG, TF better than PRSC)

    Regards Kees
     
  6. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I have SW Iron - a chrome spin off which I have blocked a bit like that.

    If I run level 4 security I sometimes get alerts that the browser is writing to files in its own installation directory.

    I remember reading yiu run TF at level 4.

    Did you Allow and Remember that alert ?

    Do you think Iron/Chrome writing to its own own directory is a possible risk ?
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Joey

    Iron should have access to its profile directory and the application data in C:\documents and settings.

    I run TF at level 3

    There is no risk involved. I also used Iron, because it used the latest Webkit component (unlike Chromium lower than version 2.xxx). It also has an addblock list (Iron), so that is the only advantage above Chromium now (of Iron).

    Regards Kees
     
Thread Status:
Not open for further replies.