Virtualization question.

Very true!

 

I can't test security softwares, because I don't know where to get scripts or any other bad object.
I was lucky to find legitimate .js-files on my own harddisk, so I tried to run one of them and ScriptDefender reacted immediately and that's what I expected.

My opinion about ScriptDefender is :
1. It's simple and easy, all the rest is BAD.
2. It's a 'dangerous' security software, because it won't keep me away from running scripts, good or bad.
How can I choose between "Execute" or "Abort", when I don't even see the difference between a good or bad script. They all look the same to me and the bad guys won't give their scripts a suspicious name either. You see the problem ?
3. It's neither a blacklist or whitelist software, it's a warning software for possible bad file extensions, not for script extensions only, like the name "ScriptDefender" says, but for any extension.
4. It has a bad uninstaller for such a little program, because it doesn't remove the intercepts automatically, while the info is available for the uninstaller.

The bottom line is : I don't like ScriptDefender, too dangerous or at least annoying when I say "Abort" to a legitimate script on my computer.

Anti-Executable is a very safe security software and doesn't ask me "Execute" or "Abort", it simply says "NO" without a choice and each "NO" is RIGHT, until it's whitelisted by myself and I don't install softwares permanently, until I know it's a legitimate software.

I do install any kind of software TEMPORARILY and only two things can happen :
1. The software isn't destructive, but nevertheless 'dangerous'. In that case the software will be removed during reboot.
2. The software is destructive, but
a. doesn't corrupt FDISR. In that case the software will be removed during reboot.
b. does corrupt FDISR. In that case an IMAGE will restore my system partition.
In the future I might do testings with softwares like VMware, but once again I can't do it all at once and I work step by step.

I'm only afraid of hardware infections, but I never saw them until now.

 

I trust your judgement on the results you are confident in with AE, so thanks for the heads up. Like in an earlier post of mine referring to AE, i tried it once and i know it is quite formidable in that it absolutely refuses executables to launch unless you give it explicit permissions to let them.

I'm almost of the mind to follow you on AE but for the time being i'm quite taken, at least for now, with HIPS that also refuse to allow most ANYTHING to launch without on-the-spot permission to do so, but i see your point. How does the average user determine exactly what is safe to let ride from something which could be a danger to the system settings if allowed to go on.

 

AE is so good and SENSITIVE, that I can't even move my mouse over an unauthorized executable without getting a warning from AE. This happens alot on my data partition when I move my mouse over a downloaded legitimate software-installer, which is still not installed permanently. If I want to move my mouse over it and double-click it, I have to turn off AE.
Other users might consider this as very annoying and uncomfortable, but do they want protection or not ?

 

I've experienced that exact same thing with Anti-Virus apps. Seems like if my mouse pointer got near a listed (so-called) virus file while scrolling down the page, ALERT!!, up would pop the prompt for action to be taken, so if AE does that it's a very good thing.

 

Revisiting Script Defender:

If there were a program to block script file types in the way AE does - that is, to create a white list of script file types and block everything else - many web pages would just refuse to load, for the caching/running of the necessary script files would be blocked, in the way that AE blocks any executable from downloading/running.

I wouldn't want to say that you need or don't need any program - only you can make that decision - which I see you already have.

But starting over: suppose you were thinking about trialling (oops - trial is not a verb) evaluating it:

In learning what a particular program does, and weighing that against your knowledge of how different types of malware can get onto your computer, you can arrive at a decision.

Remember, of course, that SD and similar programs deal with script files already on the HD that are double-clicked, and do not prevent script files being cached and interpreted by the browser (.js, .css, .vbs, etc). So, we can eliminate that scenario in this case.

Consider a script file, 1.bat on the root of C:\

http://www.urs2.net/rsj/computing/imgs/bat_1.gif

When you d-click a file, this tells Windows to pass that file extension to the program
associated with that file type. For example, d-clicking on a *.doc file,
Windows tells MSWord (or your default Word Processor) to open that file.

If I d-click to open this .bat file, SD alerts, because SD has modified
the Registry entry for 'batfile' so as to "intercept" the Open Command:

http://www.urs2.net/rsj/computing/imgs/bat_reg.gif
_________________________________________________________________________________________

http://www.urs2.net/rsj/computing/imgs/bat_2.gif

One weakness in this type of program is that you can run the file from a Command Prompt
and SD does not intercept because in using the Command Prompt, Windows File Association
does not come into play. Cmd.exe interprets the file directly:

http://www.urs2.net/rsj/computing/imgs/bat_3.gif

Trojans have been known to run scripts using cmd.exe. So, you ask yourself, could a trojan executable get past your defense?

Now that you know what the program protects against, your immediate question should be, under what circumstances would I d-click on a script file?

You would also know that your system currently has no malicious script files on it, so the next question would be, under what circumstances would another script file get on to the HD? And would you d-click it?

Most likely source would be in an email attachment. Would you open it? (We are not considering browser caching here, since SD doesn't deal with that)

With this type of analysis (for any security program), you have information on which to base your decision as to whether or not this program is necessary, or adds anything significant to your set up.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Does AE stop batch (.bat) or executable (.exe and .com - 16-bit/32-bit) files from running when started from the "Command Prompt" (cmd.exe) window?

What does AE do if you run Rich's "1.bat" file?

If you take notepad.exe and copy it to a new name, for example, badguy.exe, and run badguy.exe from the "Command Prompt", does AE allow it to run?

Mike

 

I ran a rootkit once at a time when at the same time it rendered the command prompt completely useless and thus prevented running ANY command line rootkit detectors. That prompted me afterwards to look for an alternative CMD program to serve as an emergency solution to this and also renamed CMD or something on the order of DMC.exe to overcome that disabling method.

 

I take this to mean that because rundll32.exe is White Listed, a malicious file installed could use it to install any dll.

The malicious file could not install with AE enabled.

Now, if AE is disabled to install a program and it turns out to be malicious, then with AE re-enabled, the malicious file could indeed allow the above scenario to happen.

At this point you need a behavior blocker or such to catch the activity.

AE will not do this because it is not a behavior blocker. So it's not fair to say "it may fall short" since that is not it's job.

If the above scenario with rundll32.exe is of concern, then, of course, you need something else in place to monitor it.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

*.bat is a script file so AE won't catch them. Any file can be run from the Command Prompt inless you've got some way of blocking cmd.exe from running, or a way of intercepting it.

What do you think will happen?

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

OK

I have no actual knowledge/use of AE, so I will guess AE will ask about a child process (badguy.exe) started by parent process (cmd.exe)

Mike

 

No, AE's only function is to say "NO" when you attempt to install an executable not already on the White List. Processes and stuff is the job of HIPS and similar programs.

In your example, the "copy" command just creates a copy of the file with a new name, but the original file remains:

http://www.urs2.net/rsj/computing/imgs/notepad_1.gif

However, if you use the "Rename" command, DOS actually deletes the old file and creates a new renamed file, which AE blocks:

http://www.urs2.net/rsj/computing/imgs/notepad_2.gif

Also, AE would block moving the file, because the "Move" command actually involves copying the file to a new location and then deleting the original:

http://www.urs2.net/rsj/computing/imgs/notepad_3.gif

This protection is an added feature to keep someone from inadvertently deleting an executable - in situations where children use the family computer, etc.

In suggesting examples involving processes, the assumption is that some malware has installed and is using cmd.exe to start a child process.

AE would block the installation of the malware, except in the instance I cited above in answer to Pete.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I keep AE anyway. I knew in advance that AE wouldn't protect me completely, that is common for all security softwares. What about scanners ? Are they so perfect in protecting your computer

I probably need an additional security software that blocks on suspicious behaviour, maybe not. ?

PS: Keep in mind that I also boot-to-restore, which is a killer of any infection. I only need security to save the day, they don't need to be perfect, because they aren't perfect.

 

What definition does AE think "install" is? When I think of "install", I think of creating folders, add an uninstall entry to the registry, register some dlls, etc.

Let me change my mind how I answered that question, instead of my "No" answer.

So, if cmd.exe has been allowed to run, it could do this: DEL /F /S /Q c:\*.* ?

What was the answer to this?

Mike

 

See here for some examples of "install."

Anti-Executable Tests

AE would block any executable file from being deleted. I changed your command
to include just *.exe to save me a reboot-to-restore:

http://www.urs2.net/rsj/computing/imgs/AE_delete.gif
________________________________________________________________________

Question: Except that I did it as a test, How could that command get executed on my computer? I'm not sure what your point is.

Yes, because it is a copy of the orginal file. notepad.exe.

Question: Except that I did it as a test, How could that file have gotten copied on my computer? I'm not sure what your point is.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

In order to test my total recovery solution, I ran this command and it deleted MANY files in my ON-LINE snapshot.
I didn't use a .bat file. I typed everything manual.

After I rebooted my computer, the FDISR Splash Screen appeared, I could boot in my OFF-LINE snapshot, but I couldn't get to the FDISR's main menu. So the FDISR-icon didn't work anymore.

So I tried to boot in my ON-LINE snapshot and I got this error message :
Windows could not start because the following file is missing or corrupt :
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file.

This message indicates that FDISR is corrupted and that means I have to start plan B, because plan A failed.
I consider this as normal, because plan A and B = total recovery solution.

Plan B :
I restored my system partition with an IMAGE and I was back in business.

Conclusion : this was a successfull recovery.

 

This was probably already said in this thread (didn't read everything yet), but yes, some malware can do their job even if isolated : Data stealers, for example, will upload your passwords, files, or anything they are designed to steal, to their server, may they be running isolated or not. A trojan like Ldpinch, will send every bit of information it can find, as your XP serial number, etc, before you get rid of it by cleaning the sandbox . Unless the sndbox program do have network control.

 

Thanks nicM, I knew there was something wrong with these isolated infections.
As long the damage is on the harddisk and nothing more than that, then isolation works, but not in your examples.
Do you have a cure for this ? Firewall ? I don't know much about anything.

 

OK

My point is, I have not used/seen/tested/studied/researched/etc AE... I have no clue what AE can do or can not do. I was trying to find out if cmd.exe can fork a system up... it appears it can.

Since AE does this

Hmmm, does not check the file name or a hash?

My point is, I have not used/seen/tested/studied/researched/etc AE... I have no clue what AE can do or can not do.

I can make up a example of how that command could be ran on your system...
Some Wilders user by the name of "BMF2THEMAX" starts posting/asking questions for say, six months. He/she will appear to be just another confused/ignorant user. After six months and a couple hundred posts, he/she says there is this great new program called CYA-XSS that is wonderful, bla, bla, bla. So, everyone downloads it, and sure enough, it does a few good things. Everyone starts to complain that it does not do xyz. So, an updated CYA-XSS v1.01 is posted. Everyone downloads the updated program. The program waits for 3.14 days, and than creates/spawns a process that runs that DEL command.

I have to clue how a program could do anything on your system if AE is installed... I have not used/seen/tested/studied/researched/etc AE.

I am just another confused/ignorant user asking the same stupid questions over and over and over again.

Mike

 

You know much more than you think.

First, ask yourself how this trojan "Ldpinch" would get past your security wall and become installed.

Look again at the ways trojans get installed, and see if you think you have a vulnerability.

Next, look carefully at nicM's statement:

You've said in previous posts that your bank password, for example, constantly changes, and that you keep no personal data in files on your computer.

You mention firewall. I assume yours has outbound protection, so that if such a trojan should install, the attempt to connect to the trojans server will be blocked, as here:

Firewall Alert

After thinking through all of this, decide if something more needs to be added to what you already have.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

This indicates the MBR (Master Boot Record) was not damaged, and the PBR (Partition Boot Record) also was not damaged. FD-ISR (version 3.20 Build 202) does use the PBR for its menu.

Nope, indicates a problem that XP could not find one of the required files to start the boot process.

Here is the XP/W2K boot process...
1) BIOS loads MBR
2) MBR starts %SystemDrive%\ntldr
3) ntldr reads %SystemDrive%\boot.ini and puts up the boot menu
4) selecting a XP/W2K choice from menu causes ntldr to run %SystemDrive%\ntdetect.com to get hardware info
5) ntldr then loads %SystemRoot%system32\ntoskrnl.exe and %SystemRoot%system32\hal.dll (fyi: HAL = Hardware Abstraction Layer)
.
.
.

So, I guess AE did protect %SystemDrive%\ntldr, %SystemDrive%\boot.ini, %SystemDrive%\ntdetect.com, %SystemRoot%system32\ntoskrnl.exe, BUT NOT %SystemRoot%system32\hal.dll.

Mike

 

Hello, Mike,

Why not download an evaluation version and run some tests! Old adage in one of my lines of work:

It's fine to ask for opinions and look at other's tests, but I don't think you will be satisfied until you prove for yourself what you are looking for

Only if you have permitted some bad file to install and become White Listed and then invoke cmd.exe.

I assume a copy of a file has the same hash.

Interesting scenario. I really wonder if it would fly here at Wilders?

First of all, I already demonstrated that AE would prevent that DEL command from deleting executable files. Assuming your scenario where the process runs DEL, as soon as the AE alert popped up, the user would know something wierd is going on.

Second, many here at Wilders run programs that would probably catch this process - they will have to confirm that.

Finally, I would guess that everyone here at Wilders has some restore program that would quickly revert the system back to its original state - as Erik did - since that DEL command would trash non-executable files.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I'm not sure it didn't protect hal.dll.
I could boot in my ON-LINE snapshot the first time, but I ran DEL a second time and this was maybe too much.
I will redo the test tomorrow and see what happens when I run DEL only one time.

I was only interested in my recovery solution, not the consequences of running DEL.

 

Without doing a forensic on the HD before it was restored, You can't be sure of the reason, and anything else is conjecture.
I'm sure it wasn't because the file was deleted:

http://www.urs2.net/rsj/computing/imgs/AE_delete-1.gif

EDIT: [remove comments] -- after viewing Erik's last post, I see he omitted an important point in his first post,
so we will have to wait until he runs this test again for clarification.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​