What next?

Discussion in 'other anti-malware software' started by Kees1958, Feb 19, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Wilders community

    I am wondering what to do next?

    I am behind a hardware FW and SensiveGuard gives added outbound protection (e.g. Outlook express is only allowed to send mails when initiated by the user, to protect our PC to become a mailbot).

    Additional data wall protection by SensiveGuard:
    My C-drive executables (*.exe, *.com, *.dll, *.tlb, *.ocx, *.vxd, *.sys *.scr, *.ini,*.hta) are protected from changing by Sensive Guard. Programs with internet connection are not allowed to read files from my D (data) drive when not initiated by the user (additional data theft protection). No program with internet connection is allowed to download the above mentioned executables.

    DefenseWall runs WMPlayer, OutlookExpress, InternetExplorer, hh.exe, winhlp32.exe, ntvdm.exe, tftp.exe, ftp.exe, 7zFM.exe (zip manager to which all archive extentions are linked), LimeWire, The shared folder and incomplete folder of LimeWire, WindowsTasks directory and DVD and floppy drive as untrusted.

    SSM-free only allows white listed processes and blocks start ups from the shared directory and LimeWire incomplete directory, and blocks the registry keys showed in the attached picture. Rest is more or less standard SSM free modules (IE protection).

    Antivir is my free Antivirus with Heuristics set to high.

    At the moment the PC shows no security pop-ups and the security aps cross protect each other, except for Antivir (no MD5 hash check in and Updater is allowed to start any process in SSM and allowed to download non user initiated executable updates in a specified directory by SensiveGuard).

    The PC is hardened with SafeXP, Seconfig and SpywareBlaster and I use wireless MAC adress control plus fixed IP-adresses (no need for DHCP/DNS or svchost to go external). SSM user interface is disconnected.

    What could I do more (for instance blocking additional registry entries from being changed) without confronting the user of this PC with pop-ups in normal operation?

    I have to use IE7, because the main user needs it to pay for downloaded music (through Dutch banking application). IE7 is configured conservatively, with normal-high protection, but fully functioning. I have no special anti-keyloggers due to the Dutch Banking security measures (with double public private key protection), SensiveGuard and the DefenceWall 'red button'. But this thought could be to optimistic.

    I stopped using on-demand antispyware scanners after they had not found anything for at least half a year.

    Regards Kees
     

    Attached Files:

    Last edited: Feb 19, 2007
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    u could add a HOSTS file or SpywareBlaster.

    also what are u trying to protect the computer from? that setup seems very secure as it is.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry I forgot to mention SpywareBlaster, added this in the text.

    Just trying to use the (registry) knowledge of the forum members for additional registry hardening.

    Thx
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    PeerGuardian with Bluetack´s lists?
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thx is an extra to blacklist IP's for P2P
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You can also blacklist IPs of ad/spyware servers.
    I´m thinking in Link Scanner Lite and/or Dr. Web link checker
    Perhaps it´s too much.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Lucas thanks,

    I have done some surfing. It seems that LimeWire 4.13 will have the option to import blacklists (now in Beta). In stead of adding a new ap, I prefer to wait and see what import capabilities this new release has. After all, we did wthout all the time so we can wait a short time. I will certainly add IP black listing to the security set, preferably with LimeWire 4.13 otherwise with PeerGuardian.

    Thanks for the feedback

    Others,

    I would still appreciate other registry entries to be guarded by SSM-free, so when anyone has suggestions please make them.

    Regards K
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    WhereWindowsMalwareHides.doc
    :thumb:
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Kees1958: that's quite a strategy! Congrats:thumb:
    However, what keeps you in Windows world? I know what keeps me, but someone with that strategy must have thought about it, at least consider it.
    Are there specific programs that you use not available for GNU/Linux?

    TIA- like i usually say, i like to hear/read other perspectives.
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Someone,

    My wife is the main user. Besides her job she is an areobics/steps/spinning teacher for fun. She has learned how to download music via pay sites.

    Everything may change on the PC except InterNet Explorer (because her favourite download sites only can deal with IE), Word and PowerPoint.

    So this means a no go for Open Source software (linux, which I regret)

    Regards K
     
  11. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I see. That's the main problem worldwide: we're hooked one way or the other. Although those sites that only work with IE i usually try to ignore them. Only if i really have to. I restrain from insulting them, and blocking their IP...
    But if you don't already, try VirtualBox or VMware, and check out Kubuntu and SUSE. VirtualBox is just download, no personal details needed, and it just works, for me anyway. Really easy to operate.

    If you think it's way out of topic, sorry. But i'm answering "What next?":)
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Someone,

    There is a up side to users stucked in their habits. I reckon her work will not upgrade to the next MS OS in 4 years. In that time the initiative to create a working XP OS binairy compatible OS will hopefully be ready (ReactOS)

    Regards
     
    Last edited: Feb 20, 2007
  13. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks very helpfull, I will check this through

    EDIT: added 14 registry entries, see pic thanks!
     

    Attached Files:

    Last edited: Feb 21, 2007
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No I have played with it quite a while ago. The first setup was on a detail level, which is good for granular control but a lot of work when you want the PC to be pop-up quite. I wait until they are out of Beta. Interesting what you might find of it.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, if u don,t mind I will ask few Qs as I know very little.:)
    Why to run winhlp32.exe and ntvdm.exe untrusted?
    Any problems/ loss of functionality by running tftp.exe and ftp.exe running isolated?

    Correct me if I am wrong but I think SSM free does not block all these reg enteries? These might be there but not functioning. Have u checked?
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Aigle,

    Don't you remember I have thanked you for the sandbox tests you did. :thumb: So I when you know very little, I know less. ;)


    Some worms use NTVDM to spread. You as an GeSWall Pro user (my son has it on the other PC), might remember the GeSWall test which 'ducked under' XP by using the command shell. I think for Sandboxes it is hard to protect when the machines switches to old 16 bit or DOS aps. Therefore I have inactivated command and run NTVDM untrusted.

    Winhlp32.exe, see http://www.auditmypc.com/process/winhlp32.asp

    No function degration when running tftp and ftp untrusted.

    Regards K
     
    Last edited by a moderator: Feb 28, 2007
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When running with the user interface disconnected, the original action was ask. With the user interface disconnected you do not see pop-ups, so you won't see the 'ask' action.

    I have changed that to block. I thought I had tested it. I have seen SSM come into action in learn mode/user interface connected (it seems it falls back to ask when in learning mode on blocked entries).

    Even with SSM-free you can right click the registry module and add new entries. The registry guidance of SSM is really splendid (you can cascade to the correct group and it lists the string values currently mentioned in that entry, you can even set how deep you want SSM to block).

    SSM free also protects against physical memory vialotion (e.g. when Microsoft wants to check you have a legal version), while the documentation also mentioned the free version did not. I think since using the V2 SSM some original in the V1-version not 'included' features were enabled.

    SSM-free has some low level disk access protection (which also should not be in the free version). I have a Dutch version of Partition Manager. When I delete the active C partition. Partition Manager pop-ups with a 'proceed' confirmation. SSM-free wants to close Partition Manager. The closing protection of Partition Manager comes up with it a pop-up (do you really want to exit y/n). When I choose no, SSM-free immediately kicks into action again, triggering the closing protection of Partition Manager again. It always takes me three to four times, before I am fast enough to confirm the 'proceed' pop-up of Partition Manager, before SSM kicks in again.


    I like SSM-free over SSM-paid (I have a lisence from giveawayoftheday), because it is less complex than SSM paid (or ProSecurity paid). I was a ProcessGuard/DSA user, so my opinion is coloured.

    Regards K
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Kees, thanks for explaining. Mostly new info about NTDVM for me.
    Regarding SSM, I have added few more rules in SSM reg protection from ur snapshot. Like u, I have SSM pro licence as well but still use free one, as I think reg protection of Pro is much complicated.

    I will see how it goes.
    Thanks.
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    Do you have registry protection tips for me? I had hoped some registry die hards and MJ Registry users would join in this post to give some additional tips.

    Regards
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Take my word seriously, " I know little".:)
    I don,t paly much with registry as I am afraid to invite troubles. I hopw some
    advanced users esp those using RegDefend and RegRun might help u.
    My apologies.

    Take care
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    SSM free registry protection (1)

    Edit: changed HKLM/System/CurrentControlset/Services/Tcip/Parameters to
    HKLM/System/CurrentControlset/Services/Tcip/Parameters/Winsock

    With regedit changed the acces rights of the admin and the above system to
    HKLM/System/CurrentControlset/Services by unselected full control, create subkey, delete, DAC data, Write owner, Security info read. In this new services can not be installed or old deleted.
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      114.3 KB
      Views:
      0
    • 2.JPG
      2.JPG
      File size:
      84 KB
      Views:
      0
    Last edited: Feb 28, 2007
Loading...
Thread Status:
Not open for further replies.