ThreatFire custom rules why use?

Discussion in 'other anti-malware software' started by Kees1958, Nov 17, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi all,

    To understand how custom rules work see post

    https://www.wilderssecurity.com/showthread.php?t=183020

    I have got a few questions regarding custom rules from other members.

    1. Does TF has import/export?
    ==> No not at the moment. When you would want extra protection you have to enter it manually

    2. Does it make sense to enter custom rules
    ==> Yes and No.
    No: TF is very intelligent in that sense that it evaluates anomolies in behaviour and decides to warn yes or no. Also TF has already a lot of protection with the standard rules (f.i. registry protection of run entries and file protection of C:\windows etc).
    Yes: With custom rules you can make the protection more transparent. So you have a better understanding where you are protected against. Downside is that custom rules always are single rules, so they are less smart than the build in custom rules.

    3. Could you explain some of the custom rules?

    See next posts
     
    Last edited: Nov 17, 2007
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Registry protection modifying registry entries

    An additional series of keys (remember with \ on the end) and values (without \) can be watched by Threatfire. Due to the exception limitation you can make this extra protection very quiet. Normally the entries and values mentioned will never be changed.

    See post https://www.wilderssecurity.com/showpost.php?p=1059755&postcount=15 and on.

    Guard registry entries
    A registry entry is being modified which normally hardly never has to be changed. Check the process first before Allowing. When not installing a program quarantaine is the safest choice.

    Syntax
    When any process
    tries to write to the registry
    to <see list below> |TriggerKeys
    except when the source process is in the system process list
    or the source process is in the trusted process list

    <list to enter manually by copying from this post>
    HKCR\*\shellex\ContextMenuHandlers\
    HKCR\Folder\shellex\ColumnHandlers\
    HKCR\ftp\shell\open\command\
    HKCR\PROTOCOLS\Filter\
    HKCU\Software\Microsoft\Command Processor\
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system
    HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\
    HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\
    HKLM\SOFTWARE\Classes\AppID\
    HKLM\SOFTWARE\Classes\batfile\shell\open\command\
    HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\
    HKLM\SOFTWARE\Classes\comfile\shell\open\command\
    HKLM\SOFTWARE\Classes\exefile\shell\open\command\
    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
    HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command\
    HKLM\SOFTWARE\Classes\piffile\shell\open\command\
    HKLM\SOFTWARE\Classes\ShellScrap\shell\open\command\
    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
    HKLM\SOFTWARE\Microsoft\Command Processor\
    HKLM\SOFTWARE\Microsoft\Ole\
    HKLM\SOFTWARE\Microsoft\Ras\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\nonwindowsapp\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\standard\
    HKLM\SOFTWARE\Microsoft\Windows\Driver Signing\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    HKLM\SOFTWARE\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\
    HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
    HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\
    HKLM\SYSTEM\CurrentControlSet\Control\WOW\
    HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection\
    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\
    HLKM\System\CurrentControlSet\Services\LanmanServer\Shares\
    HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices\
    HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\
     
    Last edited: Nov 19, 2007
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Registry protection of values

    Like said in the previous post these registry values should need not to be changed in normal operation

    Guard registry values
    A registry value is being modified which normally hardly never has to be changed. Check the process first before Allowing. When not installing a program quarantaine is the safest choice.

    Syntax
    When any process
    tries to write to the registry
    to <see list below> |TriggerValues
    except when the source process is in the system process list
    or the source process is in the trusted process list

    <list of values to be guarded>
    HKCU\Control Panel\Desktop\ScreenSaveActive
    HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Programs
    HKCU\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
    HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions
    HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecute
    HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\ComSpec
    HKLM\SYSTEM\ControlSet002\Control\Session Manager\BootExecute
    HKLM\SYSTEM\ControlSet002\Control\Session Manager\Environment\ComSpec
    HKLM\SYSTEM\ControlSet003\Control\Session Manager\BootExecute
    HKLM\SYSTEM\ControlSet003\Control\Session Manager\Environment\ComSpec
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
    HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ComSpec
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
    HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\StartupPrograms
     
    Last edited: Nov 20, 2007
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    System file protection

    TF protects already executables in C:\Windows, here are a few files which are vulnarable and could have some extra protection.

    Guard vulnarable XP-files
    One of the files controlling the way XP works is changed by a process. This only happens on very rare occasions. When you are installing a program (or updating windows) and you trust the program choose Allow, otherwise Quarantaine is teh safes option.

    Syntax
    When any process
    tries to write or delete or create|TriggerAccessFlags a file
    named autoexec.bat or AUTOEXEC.nt or boot.ini or bootvrfy.exe or CONFIG.nt or config.sys or control.ini or host or lmhosts.sam or logon.exe or lssas.exe or msdos.sys or ntdetect.com or ntdos.sys or ntldr or svchost.exe or system.ini or win.ini or winint.ini|TriggerFiles
    in C:\ or C:\WINDOWS or C:\WINDOWS\system32 or C:\WINDOWS\system32\drivers\etc|TriggerFolders


    Guard automated TASK

    Syntax
    When any process
    tries to write or delete or create or execute|TriggerAccessFlags a file
    in C:\WINDOWS\Tasks|TriggerFolders

    See previous how to post https://www.wilderssecurity.com/showpost.php?p=1059730&postcount=7
     
    Last edited: Nov 20, 2007
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Outbound /Internet related protection

    A rule against trojans seeking outbound connection (effective against Trojandemo of BufferZone). This rule is triggered by programs not comunicating with the users (non-interactive programs).

    Guard (hidden) outbound network initiation
    When the program is not your Antivirus updater or Windows update and you recognise this program choose Allow plus remember. The worst thing that can happen is that some data is send over the Internet. Google the process mentioned in the pop-up, before choosing when in doubt do not use the remember option.

    Syntax see post https://www.wilderssecurity.com/showpost.php?p=1059777&postcount=22
    When any non-interactive process
    creates 1|TriggerCount network connections
    except when the source process is in the system process list
    or the source process is in the trusted process list

    Important
    Add your other security programs to the trusted list. This will also reduce CPU spiking of TF.
    a) choose advanced tab
    b) choose custom rules setting
    c) choose process list (2nd) tab
    d) choose new
    e) choose . . . button
    f) browse to correct directory
     

    Attached Files:

    Last edited: Nov 17, 2007
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Listening for Internet traffic

    Some Trojan downloaders listen to the Internet. These are nearly always programs without an active user interface, therefore this rule is triggered by programs not communicating with the users (non-interactive programs).

    Warn for hidden Internet listening
    When you do not recognise the program, Google the internet. When in doubt do not choose the 'remember' option. This is (in this stage) a low risk. When you notice a lot of harddisk activity after choosing allow, check your running processes. It is better to cancel this process and Google for these processes first.

    Syntax
    When any non-interactive process
    listens for network connections
    except when the source process is in the system process list
    or the source process is in the trusted process list
    |ExcludedProcesses
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Outbound traffic

    When you are behind a hardware router / firewall a light control on outbound traffic will problably offer sufficient protection. Use this rule in in stead of a software firewall (like Webroot, Online Armor or Conodo) to save CPU and Memory.

    Warn for new outbound connection
    A program has initiated outbound internet traffic. When you trust and recognise the program choose Allow plus remember, when in doubt google first and do not use the 'remember' option. When TF did pup up for something else data theft is a possible risk.

    Syntax
    When any process
    creates 1|TriggerCount network connections
    except when
    the source process is in the system process list or
    the source process is in the trusted process list or
    the source process is Internet Explorer or
    LimeWire 4.12.11 or Opera or
    Outlook Express or
    Windows Media Player|ExcludedProcesses

    Important
    Besides allowing system and trusted processes, also select the third option a process list. Enter all programs seeking Internet (e-mail, P2P, web browser, etc), see picture
     

    Attached Files:

    Last edited: Nov 17, 2007
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Additional threatgate programs monitoring

    Important
    Next you can tighten the guarding of prograns seeking internet connection. Therefore it is important to add some other programs (im my case WindowsMediaPlayer and LimeWire and a upload/downlaod manager of my wife's telefoon) to the list. See pic

    Optional extra rules
    - renaming of files in system directories
    - starting some unusual programs
    - saving screensaver like file

    Remember this is for an extra early warning, focussed on threatgate programs.

    ThreatGate: renaming of files in system directories
    When and email program or web browser
    tries to rename a file
    in C:\ or C:\WINDOWS or C:\WINDOWS\System32|TriggerFolders
    except when the source process is in the system process list
    or the source process is in the trusted process list

    ThreatGate: starting some unusual programs
    When and email program or web browser
    tries to execute|TriggerAccessFlags a file
    named
    C:\WINDOWS\System32\cmd.exe or
    C:\WINDOWS\System32\cscript.exe or
    C:\WINDOWS\System32\msh.exe or
    C:\WINDOWS\System32\mshta.exe or
    C:\WINDOWS\System32\reg.exe or
    C:\WINDOWS\System32\regedit.exe or
    C:\WINDOWS\System32\regsvr32.exe or
    C:\WINDOWS\System32\wscript.exe or
    C:\WINDOWS\System32\ntvdm.exe or
    C:\WINDOWS\System32\ftp.exe or
    C:\WINDOWS\System32\tftp.exe or
    |TriggerFiles

    ThreatGate: - saving screensaver like file
    Select (click on the tick box) on the predefined custom rule
    "SCR file created by email or browser"
     

    Attached Files:

    Last edited: Nov 17, 2007
  9. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    nice job again kees! these posts really help out new users to threatfire (like me). have you submitted them to pctools on their forums? these rules should be "stickyed" over there so all new comers to threatfire can see them.
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    ThreatFire's biggest strength - and product philosophy - is being able to provide strong protection WITHOUT having to muck around with settings like these. Not that I'm trying to belittle Kees' work, but still... posting a tutorial like this for programs like EQSecure would probably be a better investment of time and effort.
     
  11. idle.newbie

    idle.newbie Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    10
    Save As
    File name: "Kees1958 - ThreatFire custom rules why use_ - Wilders Security Forums"
    Save as type: Web archive (single file)
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Solcroft I did post an EQSecure "how to" in the past. ;) https://www.wilderssecurity.com/showthread.php?t=170691&highlight=EQSecure Kees1958 Because you helped to overcome its (EQS) illogical structure of rules to an understandable "default system wide rules", "exceptions allowed per case/program", "special cases/programs denied" by posting in the Chinese forum. From what I read, I understand that Aigle and you are the most knowledgable EQS users at the moment (so I re-bound this suggestion).

    Problem with TF is that together with DefenseWall running permanently it provides sufficient protection. The custom rules posted are the current set and inspired by using some other trials of other security software: e.g. file protection ideas from Safe'n Sec/Drive Sentry; additional internet (threat gate) programs protection of Websentinel and Haute Secure, Additional registry defense (brain picked from the Regdefend forum), Additional anti trojan (listening/outbound) rules from A2's IDS.

    Because I know your opinion and respect your point of view I answered the does it make sense with Yes and No. What would be a real 'proof of the pudding' is when you would try does additional rules also. Continue your anti malware testing and report the difference over a period of say a month or two. Remember it is always easy to test malware by just unselecting the custom rule you made.

    Regards Kees
     
    Last edited: Nov 18, 2007
  13. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Well, I don't think I'd have made such a remark without already having done the testing myself. I have EQSecure on another machine, and SSM+Winpooch on a VM, both of which are configured with utterly brutal global lockdown rules much tighter than the ones you've posted here.

    Granted, I agree that implementing these mass amounts of custom rules will offer earlier detection of malware, and - against some types which TF is currently weak or defenseless against - better protection. However, given the high level of protection of protection TF already provides, and the attitude and response of the Novatix team in regards to plugging existing loopholes (they've fixed quite a couple during these last few updates), I still stand by my opinion that the Novatix team has been largely successful in carrying out TF's product philosophy and made custom rules are unnecessary. This is especially the case if one runs a traditional blacklist antimalware scanners and a firewall alongside TF.
     
  14. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    But what of those of us behind a router and not using a s/w-firewall, post#7 would offer some amount of outbound, wouldn't it?
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    First, TF includes some inbuilt rules to recognize malicious processes that try to use stealth methods to connect to the internet and send data, or open ports for listening. Second, with TF running, it's highly unlikely any malicious program would manage to establish itself in your PC in the first place.

    The importance of outbound control is built more on paranoia and people who just follow trends without knowing why it's really needed, than any real-world significance. But if you're really worried about it, why are you relying on TF's custom rules instead of a real firewall with much more granular control?
     
  16. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I wasn't thinking of malicious programs, more of preventing installed apps. from going on the internet. Not relying on custom-rules as I don't have any yet. Was just reading up on it, and since TF is already installed.....
     
  17. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    If it was paranoia or a trend, I'd be using a software firewall that passed all the leak-tests...
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    Solcroft makes a point, when behind a hardware firewall (preferably Nat + SPI) it makes more sense preventing the theft, than focussing on the thief not running away after the crime.

    Some outbound protection (like with SSM, Prosecurity or TF with custom rules) would do for most PC users when behind a hardware FW.

    Regards K
     
  19. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Kees1958. How do you go about making a basic rule if you're behind a router firewall and what would it be?
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Post 5, 6 and 7 would pretty cover it all without loosing CPU performance
     
  21. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Thank you, Kees1958. With TF, it considers some Windows programs as safe that are the "real" trojan behaviour that I want to prevent. This pc is shared and I just want to prevent the other users from "accidently" accessing them....
     
  22. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    How much earlier?
    Let me guess: macros/script viruses, some file infectors, time bombs, some worms, rogue apps. Am I right?
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Lucas, see answers

    ad 1: in-time

    ad 2: you have read and interpreted the custom rules posted correctly, so you knew ;)


    Regards Kees
     
    Last edited: Nov 19, 2007
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Damn Kees, with all due respect, you have basically rewritten the whole concept behind "set it and forget it."o_O
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, but you only have to set these custom rules once, afterwards you can forget. You won't be getting pop-ups. TF still will be silent. I reckon only when you forget to add the updaters of your trusted programs to include in the exceptions of the outbound traffic rules, you will get a pop up. But then this also accounts for software firewalls who would have asked you also to allow this.

    Custom rules are an option, not a prerequisite to classify ThreatFire as a good freeware behavioral blocker. But I thought when TF is so good I might as well skip the software firewall and apply some soft containment for registry, file and dangerous XP parts.

    I am wondering whether people are facing extra pop-ups when using these custom rules. On our PC's this was not the case
     
    Last edited: Nov 19, 2007
Loading...
Thread Status:
Not open for further replies.