What is your infection chance?

Discussion in 'other anti-malware software' started by Kees1958, Jul 5, 2008.

Thread Status:
Not open for further replies.
  1. 3xist

    3xist Guest

    Yep. heuristics can improve alot (glorified signatures), That's why you do need a layered defense. HIPS yes can be very annoying.

    Josh
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    With Sandboxie you are completely unprotected in picking up an infection but fully protected in containing the infection to the sandbox.

    Returnil is the same in offering no protection in picking up an infection with a reboot required to clear most infections.

    Both make a great combo and yet I still employ ghost images just in case and they have been used on occasion due to my own tinkering with system settings whilst not in Returnil mode.
     
  3. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    what is the chance of me getting infected ? answer - minimal - even with no protection beyond a hardware firewall and firefox.

    what damage could any infection do ? Not much. data would not help anyone else. passwords protected.

    how easy would it be to put right ? Very easy with images.

    so we have a layered approach - 0.X% chance of infection x 0.Y% chance of real damage or loss xZ% chance of not being able to put things right = conclusion that any risk is both small and acceptable.
     
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,673
    Slim. But there's always a chance.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @Easter, this discussion can not be won by you, lets add some extra.

    To test a program for the 100%, this implies that all the possible program logic paths are tested in combination with all relevant decision context data.

    Because that is impossible, no one claims 100% bulletproof functioning of Software.


    To state that your infection chance is ZERO (when PC is used and connected to the outside world), would imply somebody would know all test situations and critical OS/Network conditions (also known as EXPLOITS).

    When this is the case (all EXPLOITS covered), you would not need a HIPS, but a simple blacklist scanner. Because you dear Easter have stopped putting faith in black list scanners, because they can not know all exploits/virusses, why my dear Easter could you claim to be able to?

    Let me state very clearly, I know you have tested a lot, even got credentials from a famous rebellian security expert now working for a large software company (much liked by you ;) ) in testing his great product.

    I think you could refrase you 0%, is that you know that all known XP exploits do not have a chance in your setup. Given the fact that we are on SP3 (you are still running SP1, I believe). I believe you, when you claim that your setup is in the top 3 set ups challenged with malware, for all members not working as professional in the IT-security industry.

    Regards Kees
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Long view you are so right. Infection is all about the chance something will occur against the impact of the event/intrusion. My 0,35% is my intrusion failure percentage, to calculate my infection chance, I have to multiply it with risk of infection. This risk is based on my PC behaviour (coming into dangerous places). For sake of argument, let's discuss the intrusion failure percentage (that is my 0,35%)

    Regards Kees
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ad A
    Yes heuristics are based on family reseamblance of virusses belonging to the same family, compared to behavior patterns of PRSC or TF a virus family is much more detailed than a behavior pattern (so a larger risk of missing a new one which does not fall in an existing family). Also active heuristics (and virtualisation) is used by a few AV's (Norman, Rising for I know of), this defense tricks malware into execution for better analysis. Virtualisation (and in future using the defense mechanismes of your CPU) and replacing passive euristics with behavior blocking will be the development of future AV's. When they are succedfull in implementing the technology, they are the most likely candidates to bring virtualisation to the masses.

    Ad B

    There are several HIPS, firs the ones that only prevent by looking at all the attack vectors, examples of these are

    1. Classical HIPS, like SSM/EQS/D+ by addressing the System Hook table (for events), the file system and teh registry and parant-child execution control they try to cover everything. Every classical HIPS chooses a selection of attack vectors to control, just run AVZ to see which hooks are covered, because no controls all the attack vectors, this is a intrusive HIPS, with holes in its protection by design.

    Verdict:
    Defense mechanism = every program is treated the same until white listed, its is basically a door open or close policy. This one size fits all approach can not be succesfull by design (simply not all hooks can be covered). So it is essential not an All for All approach (meaning ALL vectors covered for ALL programs handled). Another weak element is the fact that the whitelisting decision is made by the weakest link in the security chain (the user)

    Smart exceptions are execution blockers (like Anti Executable) with white and blacklists included. They focus on one core element: preventing execution. For AE it is possible to monitor all known hooks influencing the flow of execution and it is possible to identify all currently known files with executable code in it.


    2. Behavior HIPS, like ThreatFire, PRSC, Mamutu
    They more or less monitor the same intrusion vectors as classical HIPS, some (like ThreatFire) are able to track all its actions after one action has aroused suspicion. What they do is what Police profilers do, they identify malicious behavior patterns. Because an incident is generalised to an intrusion attribute, different malicious behavior falls into the same malicious behaviour pattern (as PRSC shows clearly in the analysis of the program, e.g. survives reboot, etc).

    Verdict:
    Because a series of intrusion is translated into generalised malicious behaviour patterns, existing patterns will have a great chance against new threats, because they fall into an existing pattern (same as heuristics with AV's identify families of malware, but to a much more detailed level, the more detail, the more specific, more specific means less chance of succes a new malware will fit into an existing family). Behavior blockers do not have to cover the complete system hook table, because it is not an ON/OFF OR DOOR OPEN/CLOSE policy in regard to one single intrusion, becaus ethey monitor a series of intrusions, they can afford to limit intrusion control to a few specified system hooks. Down side of behaviour blockers is that is a FOCUS for ALL strategy, simply said, although a behaviour blocker only monitors a few dangerous system hooks, it does this for all programs (every program is treated more or less the same). Another performance set back (for old CPU's) is that an intelligent blocker like TF, tracks all actions with the opion to remove it, this rollback/quarantaine tracking also takes a lot of CPU (on a dual core TF will fly, on single cores only on the fastest)

    3 Policy Sandboxes, like GeSWall and DefenseWall
    Form a contingency point of view these programs have the best architectural design for reasons of:
    A) LUA and SRP is an old and proven defense mechanisme, since it is incorporated in the OS, the handles to assure will nicely fit a third party program, so the problem of which handles to monitor can be solved!
    B) Policy sandboxes focus only on the sources of possible malware, called THREATGATES like browser, USB drive, mail etc. With a Threatgate application is communicated with external data sources. It is a clever way of engineering a CPU intensive control mechanisme on a limited set of programs (the ThreatGates).
    C) They do not have a DOOR OPEN/CLOSE policy. Downloaded files by Threatgate appliations are marked as untrusted, so malware will always be mitigated, compared to Clasical HIPS (open/close) and Behavioral Blockers (well lets track your actions while in the corridor), this is either a big security advantage (compared to classical HIPS) or a CPU performance advantage (compared to behavioral blockers).

    Verdict The above explains it all apolicy sandbox is superb over classical HIPS in terms of risk mitigation (and user firendliness) and superb over behavioral blockers in terms of performance and reaction time window (trusted/untrused state is a static condition and not a dynamic one like a series of intrusions at which the behavior blocker has to decide at the end, based on malicious patterns, also the risk of a new malicious pattern is not relevant to a policy sandbox).

    4. Virtualisation Sandbox
    Application based virtualisation sandboxes like SBIE and SafeSpace, have to lay a layer between real world and virtual world, depending per application. Although this seems a simple concept, it has the same downside of a Classical HIPS that it can not cover everything. When granularity is set on application level, there are just to much interfaces to cover (and the interfaces themselves are more complex). By software design they are more complex than policy sandboxes while offering the same level of security.

    Verdict Question: Why use a virtualisation sandbox when there are competing/alternative solutions with a smaller attack surface to cover (the number of handles to minitor), less interfaces, easier interfaces (because Microsoft incorperated policy management in the OS, only available on XP Pro and Vista Business). Answer: Personal preference, confidence in track record of organisation buying from, references of trusted friends, ?, from a rational point of view a policy sandbox is less complex (ego in theory more robust).

    Note: that SBIE was able to provide almost always the same level of protection of DefenseWall and GeSWall, is because their team is doing a great job. Image what a good solution a PS4B (Policy Sandbox four Browsers) would have been when it woul dhave been made by the SBIE team. Considering the fact that they are running a competition with GW/DW with a backpack full of lead and still are able to keep up! So compliments SBIE developers team

    5. Shadow Sandbox
    Although this technology is based on the same principle as application based virtualisation sandboxes, their assigned task is simpler, due to the lower level of granularity: not looking on a per application basis, but either it is the whole system or a specific partition which is virtualised. This helicopter view, makes the number of handles to control less, for a partition there is also no mixed zone (in or out the sandbox data pocket), so in theory applications like Shadow defenser, Returnil, Power Shadow etc are a more solid defense solution than Application based sandboxes.

    Verdict Good feasible additional layer when experimenting or doing risky surfing plus downloading, after the session everything is cleared. Why this approach fits Windows/Vista better is the simple fact that Microsoft offers one themselves: Windows Steady State.

    Agghh this will trigger discussion further I think, may also be a new thread with the title: why some HIPS are more solid than others: have a look at its design/modus operandi

    Regards Kees
     
    Last edited: Jul 7, 2008
  8. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Excellent write up Kees!!!!! Thanks!!!!
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks,

    When reading the above, you can see that the next Online Armor relase with this new feature https://www.wilderssecurity.com/showpost.php?p=1270824&postcount=14 is a real winner

    It is a sort of is a cross over of a smart classical HIPS/FW (same as Anti Executable with additional hook defense to be a FireWall with top class outbound traffic control/leaktest capabilities) and policy sandbox. Proof that it works can be read in Peter's testimonial https://www.wilderssecurity.com/showpost.php?p=1270392&postcount=7 (it also elegantly states the weakest link of a classical HIPS, the user).

    Best payware solution
    The paid version also has browser defense, so its contingency qualities also outclass many classical HIPS, when you think it is worth the money with the Kapersky AV engine and it runs well on your PC, it is the most allround and easy to use solution I currently know off.

    For a best of breed approach I would opt for DefenseWall (with its default resurce protection it will also handle most leaktest, because it seperates untrusted from untrusted providing a more granular control) and ThreatFire FREE (with additional outbound traffic rule). Sort of teh same defense (not so solid firewall outbound traffic defense as OA, but it has the advantage over OA that DW also remembers untrusted state of downloaded files)

    Best all freeware solutions:
    Next Online Armor free with DriveSentry free (you can live without AV, because DriveSentry checks for in the wild malware, but when needed choose Antivir)

    GeSWall pro->free trick (copy resources control rules and application rules of Pro version with print screens, remove Pro after trial and setup tested, install GeSWall Free version and manually enter the rules in the control version for resources and relavant applications as Webbrowser, E-mail, Chat, Download manager, etc) and ThreatFire free (also in this option you can live without an AV, TF checks at intrusion the VirusBuster DB, you can install Antivir as best freeware AV).

    Regards Kees
     
    Last edited: Jul 6, 2008
  10. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    As always Kees, very informative posts.
    Thanks a lot for that.

    (now I'm heading to tweak SBIE protection a little:D )
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    It's impossible for me to know as an average user, which malicious object is active or inactive, directly or indirectly. I didn't write the malware, so I don't know what it does exactly and for what purpose and there are millions of them.
    I have the same problem with anti-malware, in most cases I don't know how it works and against what I'm protected.
    So I'm insecure about malware & anti-malware and what is written on websites/paper are just words and promises.

    The only way for me to be sure everything is gone is to undo any malicious change in my system by using ISR and IB, including the sleeping malware, which are indeed harmless until I activate them directly or indirectly.
    Security + ISR is good enough to save the day, but everything what is online is vulnerable on long term. That's why I replace my actual system regularly with a clean system.
    I don't work with percentages, I simply want my system back as it was when I installed it and without spending time on it.

    In the past, I was always trapped in the same circle, that repeated itself over and over again :
    "clean system - infected system - removal of infections - clean system".
    I consider "removal of infections" as a waste of time, because going from "clean system" to "clean system" is the same as doing NOTHING and I know from the past how much time it took to get my clean system back.
    Each time I read an infection post at Wilders, I recognize myself in the past, but I changed my vicious circle into
    "clean system - infected system - clean system".
    I still can do whatever I want, but this time without the garbage and troubles.
    The circle "clean system - clean system" isn't possible, not with the security and new generation of malware of today.
     
    Last edited: Jul 6, 2008
  12. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    About sandboxes:

    Wouldn't it be possible for malware to get out of the sandbox by letting the sandbox/something else/the system crash ?
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,122
    Location:
    U.S.A. (South)
    Superb write up Kees and i relate to ErikAlbert's revolving door in the past, thanks to the MANY new introductions at users choice now, we have more options and methods to impliment a sound strategy. Perfect? Maybe not to go that far if ever, but definitely closer by leaps and bounds then what was available times before.

    Very Informative Thread and Posts!!

    Great Comments & Replies from experience.

    EASTER
     
  14. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Dunno?

    Do you have poc we could have a look at?
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That's wrong. There are people who don't use security software and don't have a recovery/backup strategy and their systems are clean and working perfectly.
    Yes, it may be possible, at least theoretically.

    In the last years, malware writers have discovered/re-discovered undocumented or little known ways to execute/load/inject code at ring 0 (kernel) and thus they defeated advanced security software. Other malware writers have discovered how to write to disk bypassing the Windows storage stack and thus, they defeated virtualization/ISR software.

    Some bad guys may find a bug in SBIE's code or they may discover a new method to gain access to ring 0 without being noticed by SBIE. However, that possibility is very small.
     
  16. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    It's possible, but the chance of a real malware able to do this is much less than real malware bypassing several signature scanners.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Eric, Ilya meant that DefenseWall immobilises Malware by keeping it caged in a strengthened limited user environment, hence the term "inactive malware (meaning marked untrusted by DefenseWall) is harmless (untrusted files kept in a strengthened limited user environment)
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I was talking about malware that bypassed one of my security softwares, for instance my firewall or AE or DW, ... or my scanner, if I would use one.
    Airtight security doesn't exist, that's why I use ISR to remove the remaining malware and if ISR doesn't do the job, IB will do the job, including malicious low level changes. If IB fails, I'm infected and that would be a very interesting malware, must be a rambo malware or a malware that infected my motherboard, video card, .... ;)
     
    Last edited: Jul 7, 2008
  19. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    Precisely. I'm also amused by those who say that they have layers of security and that this is why their systems are clean and work perfectly - highly flawed logic.

    FWIW I don't use security software and have never been contaminated. It is true that the recovery backup strategy that I employ could be used to recover from an infection but first I would have to be infected.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If I would visit my bankwebsite and Wilders only, I wouldn't be infected either.
    But I use ISR+IB for other reasons also. Threats aren't my main problem, legitimate softwares were my problem in the last two years. It's the total picture that counts.
    If I had no internet connection, I would use ISR+IB also to correct my mistakes quickly, to clean my computer (junk) and in case of disk crashes. The people, you are talking about, don't think ahead, they only think about today. It's a part of my job to think ahead.
     
    Last edited: Jul 7, 2008
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When staying out of risky area's infection risk is also low. A girl friend of mine managed with a Vista32 bits PC with only LUA, Vista FW and Defender to stay clean for over a year. She asked to help, because her Google search disappeared. It was a commercial ticker search bar installed. I ran a lot of on-demand scanners and only some light maltware was installed.

    This sort of keeps things in perspective (the risks involved in surfing):doubt:

    I only installed Avast free in Dutch (Web, Internet Mail, Messenger, Internet Mail shields) and ThreatFire (settings https://www.wilderssecurity.com/showpost.php?p=1273805&postcount=14).
     
    Last edited: Jul 7, 2008
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I like reading these types of posts. Generally if you know something already you will glean some insight on a good method or new app, and if you know nothing then you just might learn something.

    But really it is sort of a moot point. Anyone understanding the topics in this thread already know enough to save thier data. Whether one uses many 'tools' to achive this or just uses an image, or nothing at all. The idea of giving oneself a rating of possible infection should maybe be, 'What is your chance of losing sensitive data' or 'What is your chance of not recovering your data'.

    To say that my chance of infection is low would be true. To say that it cannot happen would be a false statement. To say that I am capable of putting my data back into place if a big oopsy happens would be plausible. To say that I have no sensitive data to lose to a keylogger etc would also be plausible.

    If I do not know what this thread is about, and we know that many many do not, then the probability of losing sensitive data or just losing data is quantitive to my habits. No amount of protection can protect one from oneself when the self does not know what is going on. You simply place the tool that they seem comfortable with and hope they take interest in learning.

    Most sadly will not learn, and the hysteria and horror stories will continue, thus leading to more tools devoted to stopping the madness. Which is good for those who frequent these kinds of sites, because it gives us more geeky apps to test out to 'take control' of our computers.

    Ah, myself I care not anymore. I load up vmWare to do anything 'sensitive', and maybe I will use many tools for protection on that. On the real OS there is nothing to lose. So a simple AV,FW & Sandbox will be fine. Should something decide to go home or whatever, I will put in my unattended dvd and reinstall. Because my data is safe on mirror raid, usb stick contains sensitive data for vmWare OS, tis easy IF it ever happens.

    Sul.
     
  23. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    As generalizations go I think this one should be in the hall of fame or a sticky at least. Erik I don't know what you're smoking tonight but it must be powerful stuff. :p
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My final goal is to remove all my security softwares, use ISR+IB only and surf like a newbie, but I'm not ready yet. :rolleyes:
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    well my final setup is complete.;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.