How good is Comodo Internet Security?
nik
I recently installed Comodo Internet Security and I would like to know your
opinion on this application and how trustworthy it is.
Will it keep my computer safe from online attcks and viruses given I don't
download vicius apps myseld and not visiting porn sites?
Burkhard Ott
> I recently installed Comodo Internet Security and I would like to know your
> opinion on this application and how trustworthy it is.
not trustworthy.
> Will it keep my computer safe from online attcks and viruses given I
> don't download vicius apps myseld and not visiting porn sites?
No.
cheers
VanguardLH
Comodo Firewall Pro is excellent. The included HIPS (Defense+) is
excellent.
The antivirus component sucks. It never got out of its beta status for
around 2 years to deliberately keep it out of independent testing to
prove/disprove its pest coverage. I've used Comodo's firewall (both in
v2 without HIPS and v3 with HIPS) and it is a top free firewall with
only one or two commercial firewalls being better. Typically it and
Tallemu's Online Armor (OA) are at the 2nd and 3rd position for
firewalls (free and paid). HIPS takes getting used to due to all the
prompts and why both CPF and OA include whitelists of known good apps to
reduce the prompt count although some users are more paranoid and want
prompting on all applications.
There are arguments (some very good by some highly educated network
experts) as to why a software firewall won't really protect you from
nasties (once they get deposited and become active on your host). The
Windows firewall or the one in your router are sufficient for outside
attacks (except you can still get DOS'ed) while they and better software
firewalls are really only good to keep the good apps obeying your wants
and the feeble malware constrained. HIPS can become daunting to many
users, especially non-experts because the prompts require knowledge of
the apps or OS that the typical user may not have. They make the wrong
choices, either clicking OK to every prompt which obviates the point of
the firewall and/or HIPS or constraining the actions allowed for a
process so that the app won't function correctly or can even cause OS
problems. Threatfire attempts to be a HIPS that is transparent to the
user (it is a behavioral analyzer) but it misses too much malware, has
false positives, and really doesn't work well with other security
products, like Avast's WebShield or GeSWall, causing problems of it
always stuck in "initializing" mode to s-e-v-e-r-e-l-y slowing your host
to where you believe it is hung. Nice idea but Threatfire doesn't work
well with other security products, and Threatfire isn't a total
solution. Of course, the user can decide to disable Defense+ (HIPS) in
CFP to eliminate all those prompts and having to investigate all those
choices.
I wouldn't bother with the antivirus component. Alas, Comodo has
decided to drop distribution of just their firewall and now is
distributing their Internet suite product but hopefully the CIS install
lets you NOT include their antivirus component. For antivirus, and for
something free, use Avast or Avira (but with Avira you'll need to find
the tricks to get rid of the splash screen and their adware nag on
updates). I like Avast better versus Avira that has had me waste too
much time on false positives. The paid versions of both include
additional protection features but I feel comfortable enough with the
free versions. Plus I use GeSWall Free to isolate the web browser using
stronger policies than just running under a LUA (limited user account)
token which simply removes some privileges from the browser's process.
GeSWall Free isolates *all* instances of the web browser no matter if it
was started directly or as a child process, like when clicking on a URL
link in an e-mail. DropMyRights, SysInternal's psexec, and other
similar utilites can run the web browser using a LUA token but only for
that particular instance of the web browser, not when started as a child
process of some other program. Online Armor has its Run Safer mode (and
the author of DropMyRights has his RunSafer utility to set restricted
policies on the web browser) that you can enable for an allowed
application to run under an LUA token but to turn it off means having to
wade through OA or rerun the policy utility to disable that option on
that program and that which is way too much hassle for me. Windows
Update, Adobe Flash update, and many other update or install sites will
not function with the browser under reduced rights or under GeSWall
under its isolated environment and severely reduced rights. I want the
web browser protected nearly most of the time but have an easy way to
switch to an unprotected mode, and GeSWall gives me that. I already
have virtual machines for more protection when trialing unknown or
untrusted software and didn't need another level of protection
granularity between restricting the web browser under my production
environment to running it unfettered but within a VM, so sandboxing was
needed by me and GeSWall fit the need to restrict my browser.
Exploits, like the recent one with IE that could deliver a small payload
due to a buffer overrun, are isolated within GeSWall or a sandbox so
this protects you until the browser gets updated. However, there is
also Comodo Memory Firewall (not a firewall but a memory protection
utility to guard against buffer overruns) which is better than the
software DEP in Windows XP or Vista (which only protects against one
specific type of SEH chain corruption). CMF covers what DEP covers and
more. Instead of trapping the payload that got through an exploit
through the browser, CMF would detect the overrun and prompt to have you
terminate the process. CMF is called SafeSurf in CPF; that is, CPF v3
now includes CMF renamed as SafeSurf (however, it also included the Ask
Toolbar garbage which you should uninstall using Add/Remove Programs
after completing the CPF + SafeSurf install).
Their web site has you downloading their CIS product when you try to
download just their CPF product. During the install, I'd suggest NOT
including their antivirus product. Use a better free antivirus program.
Do include the SafeSurf component (but follow with an uninstall of the
Ask Toolbar), or separately get CMF.
CIS all components: No.
CIS with all but antivirus: Yes.
Add a good antivirus program (Avast, Avira).
Logon under a limited Windows account, or run Internet-facing apps, like
the web browser, under LUA token, in an isolated environment, under
tighter policies, or sandboxed.
Note that you can add something like HIPS to the Windows firewall by
using software restriction policies. Use the group policy editor
(gpedit.msc) and go under Computer Config -> Windows Settings ->
Security Settings -> Software Restrictions -> Additional Rules. Add a
path to identify the program that you don't want to block from loading.
This can even be done for Microsoft's own wgatray.exe program. I use it
for some others that I never want to allow load.
After trialing many security products (all free for those that I
considered keeping for myself), my suite boiled down to:
VirtualPC 2007 (or VMWare Server)
- Test unknown or untrusted software.
- OS is clean (no security software). Prevents interference with good
programs. Lets bad programs exhibit their behavior since many will
quiesce when they detect that security software (although a few also
quiesce when they notice they are running inside a VM).
- VirtualPC is easier to use than VMWare but VMWare has some nice
additional features.
Windows Firewall
- Decided not to use HIPS anymore. Got tired of all the investigations
to make intelligent choices regarding the prompts.
- With the router's firewall, have double-layered inbound-only
protection.
- Other reasons not necessary to get into here but basically to simplify
my setup and for compatibility.
Avast Antivirus
- Standard, Network, and Web shields enabled.
- Other shields are disabled as they are not applicable (don't use the
apps covered by those shields) or don't want them (like e-mail scanning
which is superfluous and often causes timing or mail session problems).
GeSWall
- Provides isolated environment for web browsers.
- Enforces severe privilege restrictions on web browsers beyond just
using an LUA token.
- Isolates ALL instances of web browsers no matter if opened directly or
started as a child process.
- Allows easy switch to non-protected browser using a titlebar button.
Needed for Windows Updates and several other trusted sites.
- No noticed impact on browsing speed.
- Less interference than using a sandbox (most of which are no longer
available for free or no longer supported, and Sandboxie turns into
once-a-day nagware after its 30-day trial).
- Free whereas Bufferzone and Defensewall are not; however, free version
of GesWall only isolates web browsers but which is the primary infection
vector into a host with e-mail coming in 2nd place.
Returnil
- Saves changes to a differencing [virtual] disk. You can discard them
through a reboot.
- Enabling the protection does not require a reboot.
- Can test unknown or untrusted software in my production environment
but restore the drive back to its prior state to completely erase the
new software from the drive (and not even have to bother uninstalling
it).
- Similar products are Microsoft's SteadyState (free) and ShadowSurfer
(was free but no more).
All this stuff is free. It all works together, too, with no conflict
and no noticeable slowdowns (except when testing software inside a VM).
Volker Birk
> I recently installed Comodo Internet Security and I would like to know your
> opinion on this application and how trustworthy it is.
You don't need a "Personal Firewall".
Yours,
VB.
--
"Any sufficiently advanced technology is indistinguishable from magic."
Clarke's third law
1PW
> Hello ppl,
>
> I recently installed Comodo Internet Security and I would like to know
> your opinion on this application and how trustworthy it is.
Comodo's _firewall_ is one of the fine replacements for the Windows
embedded firewall. I use their free firewall myself. However, you will
find that many of us prefer to use individual solutions for our
computer's various security threats and *not* the all-in-one security
"suites" that seem to promise it all.
> Will it keep my computer safe from online attacks and viruses given I
> don't download vicious apps myself and not visiting porn sites?
No. Not all of our security software will protect you from your
occasional lapses in judgment. A web site that /was/ malware free a few
minutes ago, is not necessarily safe a few minutes from now.
Do extensive self-paced study, You will find many satisfactory freeware
solutions for the many facets of computer security threats.
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
Kayman
I'd steer away from any Internet Security Suites, they're are a waste of
your hard-earned dollars! And (especially) 3rd party personal firewalls
(PFW) are mostly badly coded, almost always very cumbersome to remove from
the operating systems and more importantly don't add anything to your
desired securitry!
"*Security is a process not a product*" (Bruce Schneier).
10 Immutable Laws of Security.
http://technet.microsoft.com/en-us/library/cc722487.aspx
For WinXP the most dependable defenses are:-
1. Do not work as Administrator; For day-to-day work routinely use a
Least-privileged User Account (LUA).
Applying the Principle of Least Privilege to User Accounts on WindowsXP
http://technet.microsoft.com/en-us/library/bb456992.aspx
2. Secure (Harden) your operating system.
http://www.5starsupport.com/tutorial/hardening-windows.htm
3. Don't expose services to public networks.
Windows XP Service Pack 3 Service Configurations
http://www.blackviper.com/WinXP/servicecfg.htm
4. Keep your operating (OS) system (and all software on it)updated/patched.
How to configure and use Automatic Updates in Windows XP
http://support.microsoft.com/kb/306525
http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us
4a.Got SP3 yet?
Why Service Packs are Better Than Patches.
http://www.microsoft.com/technet/archive/community/columns/security/essays/srvpatch.mspx?mfr=true
5. Reconsider the usage of IE and OE.
Utilizing another browser application and e-mail provider can add to the
overall security of the OS.
Consider: Opera,FireFox or Seamonkey and PegasusMail,Thunderbird,or WLM.
5a.If you insist using IE - Secure (Harden) Internet Explorer.
Internet Explorer7 Desktop Security Guide.
http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en
6. Review your installed 3rd party software applications/utilities; Remove
clutter, *including* all Anti-WhatEver ware and 3rd party software
personal firewall application (PFW) - the one which claims:
"It can stop/control malicious outbound traffic".
7. If on dial-up Internet connection, activate the build-in firewall.
Windows XP: How to turn on your firewall.
http://www.microsoft.com/protect/computer/firewall/xp.mspx
7a.Configure Windows by using:
Seconfig XP 1.1
http://seconfig.sytes.net/
7b.If on high-speed Internet connection use a Router and implement
Countermeasures against DNSChanger.
http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html
7c.And (just in case) Wired Equivalent Privacy (WEP) has been superseded by
Wi-Fi Protected Access (WPA).
8. Utilize one (1) each 'real-time' anti-virus and anti-spy application.
Consider: Avira AntiVir® PersonalEdition Classic - Free
and Windows Defender.
9. Employ back-up application(s).
Windows XP Backup Made Easy
http://www.microsoft.com/windowsxp/using/setup/learnmore/bott_03july14.mspx
Consider: Acronis, Casper or Norton Ghost and ERUNT.
9a.Utilize vital operating system monitor utilities/applications.
Consider: Process Explorer, AutoRuns, TCPView, WALLWATCHER, Wireshark,
Port Reporter etc.
10.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html
The least preferred defenses are:-
Myriads of popular anti-whatever (*real-time*) applications and staying
ignorant.
Note:
Avoiding Rootkit Infection.
"The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).
Good luck :)
nik
Ο "VanguardLH" <V...@nguard.LH> έγραψε στο μήνυμα
news:giri1l$vbc$1...@news.motzarella.org...
>
> nik wrote:
>
>> Hello ppl,
>>
>> I recently installed Comodo Internet Security and I would like to know
>> your
>> opinion on this application and how trustworthy it is.
>> Will it keep my computer safe from online attcks and viruses given I
>> don't
>> download vicius apps myseld and not visiting porn sites?
>
> CIS all components: No.
> CIS with all but antivirus: Yes.
> Add a good antivirus program (Avast, Avira).
> Logon under a limited Windows account, or run Internet-facing apps, like
> the web browser, under LUA token, in an isolated environment, under
> tighter policies, or sandboxed.
>
First of all thank you very much fopr your thorough answer.
I have decided to keep CPF but I have removed the antivirus component as you
said.
As for AV Avira is very ncie I used it and avast too but a new player seems
stronger than those 2 avs are.
Its name is Ikarus Virus Utilities v1.0.91
I have just installed it and it has detected trojan dropper and infection
that avira and avast couldn’t detect.
So iam keep ikarus but as a con its very heavey prodeuct because I have
onl;y 512 MB of sdram.
Now whats your opinion about Ikarus? have you tried it out yourself?
as for the LUA ia have always used xp and logged in as an administrator.
you mean I should create a new user account but limited or a guest one and
use that?
but then hopw will I be able to install new application if iam on LUA mode?
As for a browser iam currently using Google's Chrome. If I use Sandbox will
it be able to save files from web pages on my hdd?
Wolfgang Kueter
> as for the LUA ia have always used xp and logged in as an administrator.
> you mean I should create a new user account but limited
Yiu should have done that in the first minute after installing XP.
> or a guest one and
> use that?
>
> but then hopw will I be able to install new application if iam on LUA
> mode?
Just the normal way:
- log out as user
- log in as administrator, install the software
- log out as administrator
- log in as user and use the software
Wolfgang
nik
Ο "Wolfgang Kueter" <wolf...@shconnect.de> έγραψε στο μήνυμα
news:gittlv$sgs$1...@news.shlink.de...
>
> nik wrote:
>
>> as for the LUA ia have always used xp and logged in as an administrator.
>> you mean I should create a new user account but limited
>
> Yiu should have done that in the first minute after installing XP.
I just created one right now although it feel unfamiliar with it :-)
>> or a guest one and
>> use that?
>>
>> but then hopw will I be able to install new application if iam on LUA
>> mode?
>
> Just the normal way:
>
> - log out as user
> - log in as administrator, install the software
> - log out as administrator
> - log in as user and use the software
Well iam a kind of guy that tries out every day new applications and games.
It will be a tedious task having each time iw ant to install an app logging
out and logging in again 4 times.
Is there a way while being in LUA mode to be able to install new
applications or remove old ones without having to logout and login again as
admin and then logout again so to use them?
Something similar to linux which just by providing the root password while
so one can make system wide changes.
Is there an option on LUA to run/install somehtign as addministrator?
VanguardLH
> Ikarus Virus
It isn't that new. I just found a blog that mentions it back in October
2007 (http://www.av-comparatives.org/weblog/?p=78). Yet I don't see
Ikarus listed in any of their comparative reports (to see how well is
its coverage). I did find a Sep 2007 white paper there for a separate
test (http://av-comparatives.org/seiten/ergebnisse/ikarus07.pdf). Read
the last sentence of section 4. Maybe they've gotten better since then
regarding false positives, so that it detected something not found by
other antivirus programs may simply mean it was a false positive. Did
you ever submit the suspect file to the multi-scanner sites of
VirusTotal (http://www.virustotal.com/) or Jotti
(http://virusscan.jotti.org/)?
http://www.ikarus.at/
Never trialed it. I'll wait until they get an English version web site.
> as for the LUA ia have always used xp and logged in as an
> administrator. you mean I should create a new user account but
> limited or a guest one and use that?
>
> but then hopw will I be able to install new application if iam on LUA
> mode?
You can choose to create a new Windows account that is a limited
(standard) account. That will restrict what you can do, and what
malware can do, too. Of course, to install software you will probably
have to logoff and logon under an admin-level account. This is a
nuisance but has been a long-time recommendation by those that don't
want to bother using protection utilities on their web browser while
logged under an admin-level account. Using a limited Windows account
is a lot of hassle but it does have some advantages. I have way to
many duties and activities that require using an admin-level account to
waste my time trying to use a limited Windows account. I'd be
repeatedly bouncing between my standard and admin-level accounts during
the day.
A process can be made to run under a LUA (limited user account) token.
That is, the process will have the same privileges as that token. Since
the token has the limitation of a standard user account, that process
is also limited. But that only applies when you run that process under
the limited environment. When using DropMyRights, SysInternals'
psexec, or other such utilities that run the child process under
limited privileges, only the process they start is limited. So if you
use them to start the web browser, that instance of the web browser is
limited and you get more protection. If you do not use them to start
the web browser but instead start the web browser directly, you are
running an unlimited browser process just like you are now. Since
these utilities only limit the process they start, they will not limit
the same process started by some other application, like e-mail. So
they do not help to limit the browser when, say, you click on a URL in
an e-mail. The only time you'll have a limited browser is when you
specifically use these utilities to drop their privileges. Unless you
use these utilities to load the web browser, your web browser will be
running unlimited.
The author of DropMyRights also wrote a RunSafer utility. It modifies
policies for the application to reduce its privileges. That means that
program will always run limited no matter what application started it.
However, when you need to run unlimited, like when visiting Windows
Update, doing an Adobe Flash update, etc., you can't until you rerun
that utility to remove those limiting policies. The same is true of
Online Armor and its Run Safer option you can enable on an application.
It will always run that application under limited privileges and you're
stuck having to wade through their config screens to disable the Run
Safer option and then go start that application. A lot of hassle.
GeSWall is both a policy enforcer and a near-sandbox. Not only does
GeSWall enforce the limited privileges of running a process under a LUA
token but restricts it even further as to where in the registry and
file system that the restricted process can write or read. Anything
downloaded by that restricted process is tracked as untrusted and
you'll get warned when you try to run it that it is untrusted. If the
payload gets ran, like using a buffer overrun exploit, it is ran inside
the isolated mode in which that restricted process is running under
control of GeSWall. A sandbox, like Sandboxie, is even more
restrictive than GeSWall but also more a nuisance to use if you do want
to keep something of your browser session. The next further
restrictive step is to use a virtual machine.
You could just use DropMyRights or SysInternals psexec to limit the web
browser only when you want it limited, like making a shortcut for it on
your desktop and Quicklaunch toolbar. However, that would be the only
time your browser is limited. Clicking on a URL link in an e-mail or
some application whose help uses the browser to look at the online
pages for that help would mean that browser is unlimited. One some of
my hosts, I use GeSWall to automatically ensure that every web browser
instance is limited and also isolated no matter who started it, plus I
can easily switch back to non-isolated, unlimited mode for the browser
just by clicking a "G" button in the titlebar. One some of my other
hosts, I don't use GeSWall and instead just use the SysInternals'
psexec program (or I could use DropMyRights) to limit just the
instances of the browser that I choose to start. Depends on the
software config on a host and how comfortable you feel with what level
of interfering security. All security interferes with your work, some
methods being worst than others.
> As for a browser iam currently using Google's Chrome. If I use Sandbox
> will it be able to save files from web pages on my hdd?
Google bought GreenBorder which was a sandboxing utility. They
incorporated it into their Chrome web browser. There is also
separation between each tab that you open in that it starts another
process plus each is using the GreenBorder technology to sandbox each
tab's process. I haven't experimented much with Chrome. While it does
have some very good advances for web browser features, I simply don't
like it. Not just because of its slimlined UI but mostly for a lack of
features along with the lack of an army of add-ons to customize it. For
one, when using a sandbox for the web browser, like Sandboxie, I can
choose to keep some content from sandboxed environment when I close the
browser. Can't do that with the sandboxed tab processes for Chrome.
If wanted to go further than GeSWall to limit and protect my web
browsers, I'd probably look into Sandboxie (alas, their free version is
just too crippled in that it won't protect all instances of an
application no matter who starts it and it turns into nagware after the
30-day trial). I do hope that it will spur Microsoft and Mozilla to
incorporate similar sandboxing into their browsers. See Google's comic
strip for more info about Chrome and its limited sandboxing scheme on
page 25 at:
Ansgar -59cobalt- Wiechers
> ? "Wolfgang Kueter" <wolf...@shconnect.de> ?????? ??? ??????
>>> but then hopw will I be able to install new application if iam on LUA
>>> mode?
>>
>> Just the normal way:
>>
>> - log out as user
>> - log in as administrator, install the software
>> - log out as administrator
>> - log in as user and use the software
>
> Well iam a kind of guy that tries out every day new applications and
> games.
>
> It will be a tedious task having each time iw ant to install an app
> logging out and logging in again 4 times.
"Fast User Switching" or "Run As..." come to mind ...
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Ansgar -59cobalt- Wiechers
> A process can be made to run under a LUA (limited user account) token.
> That is, the process will have the same privileges as that token. Since
> the token has the limitation of a standard user account, that process
> is also limited. But that only applies when you run that process under
> the limited environment. When using DropMyRights, SysInternals'
> psexec, or other such utilities that run the child process under
> limited privileges, only the process they start is limited. So if you
> use them to start the web browser, that instance of the web browser is
> limited and you get more protection.
Since Microsoft has documented that the *desktop* not the process is the
security boundary with Windows, that's most definitely *not* what you
want to do. Instead you want to create an LUA, do your everyday work
with that account, and only switch to an admin account to do
administrative work.
VanguardLH
> VanguardLH <V...@nguard.lh> wrote:
>> A process can be made to run under a LUA (limited user account) token.
>> That is, the process will have the same privileges as that token. Since
>> the token has the limitation of a standard user account, that process
>> is also limited. But that only applies when you run that process under
>> the limited environment. When using DropMyRights, SysInternals'
>> psexec, or other such utilities that run the child process under
>> limited privileges, only the process they start is limited. So if you
>> use them to start the web browser, that instance of the web browser is
>> limited and you get more protection.
>
> Since Microsoft has documented that the *desktop* not the process is the
> security boundary with Windows, that's most definitely *not* what you
> want to do. Instead you want to create an LUA, do your everyday work
> with that account, and only switch to an admin account to do
> administrative work.
>
> cu
> 59cobalt
Huh? Just where did I ever mention the desktop process (the first
instance of explorer.exe) being the parent of all processes? It can be.
It might not. I said these utilities only limited the child process it
starts and why they are NOT complete solutions if and only if you demand
that all instances of a particular process be limited. The part you
snipped out was were I mentioned that other solutions take care of
limiting ALL instances of that program no matter how it was started.
Some folks like it always protected (but might also want some means of
temporarily disabling the protection) so the method of using a utility
for those instances you want to protect is what they want. They don't
want to use a limited Windows account. Some want all instances
protected for only some programs but not all of them so the 3rd party
utilities, like GeSWall, DefenseWall, Bufferzone, Sandboxie, SafeSpace,
etc., let them default to limiting those processes but they still have
an "out" when limiting the process makes it unusable.
Please provide a references to that Microsoft documentation.
The "desktop" is just explorer.exe handling it. You could, if you
wanted to and found one that was usable, replace that desktop program
with some 3rd party program. Securing the boundary of a process is how
you secure it. You don't need to backtrack through every parent process
in the chain since it isn't the parent(s) that are committing the
actions that you want to secure. Even the 3 techniques that Microsoft
went with in Vista (User Access Control, Mandatory Integrity Control,
and User Interface Privilege Isolation) do not try to secure at the
desktop since only sometimes is that instance of explorer.exe the parent
process.
http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx
I never said that the desktop (first explorer.exe instance) is what you
run using an LUA token and then hope every child process started by it
is then also ran with limited privileges. I didn't say that every
process that the user starts, that is started as a child process, is
scheduled, or otherwise started is a child of the desktop process. I
said you use the LUA token on the process (program) that you want to
restrict - at the level at which you which to enforce those limitations
and for every child process started thereafter from that limited parent
process.
The majority of your programs are local and don't need to be limited.
It is your Internet-facing apps that you want to limit, with the web
browser being the primary target and e-mail client is the 2nd target.
I'd like to see just how productive you would be in a software QA
position in trying to install, uninstall, and debug programs while under
a limited Windows account. Whether a limited Windows account is the
solution depends entirely on how you use your own host and for what
tasks. Hell, even many games won't play under a limited account. You
say to only switch to an admin-level account when there are admin tasks
to perform. What if those admin tasks constitute the large number or
majority of the user's tasks? Security is great but ONLY if it doesn't
get in the way of the user performing the tasks they want to perform.
So how many multiple levels of doors do you lock when you leave your
house? After you starting adding several levels, when would you realize
that they are getting too much in your way?
Your browser running under a limited (standard) Windows account or
loaded under restrictions of a LUA token while you are logged in as an
admin will still have the same set of limited privileges. You haven't
gained anything going to a limited Windows account for the browser that
you couldn't have had while running it under an admin account with the
same limitations. The same loss of privileges for the web browser
occurs under the limited account or under the LUA token.
If you want to see what privileges your browser has, get SysInternals'
Process Explorer. Right-click on the browser process in Process
Explorer and look at its properties to see it security properties
(privileges). You don't have any more privileges running under a LUA
token under an admin account as you do for it running under a limited
account.
http://msdn.microsoft.com/en-us/library/aa446583(VS.85).aspx
1) Limited account + web browser
2) Admin account + web browser + LUA token
Same reduced privileges for both 1 and 2.
Also, running with reduced privileges is only one layer in malware
protection. Don't expect it to protect you from all pests. Do you
think Google Earth cannot be installed under a limited account? It
installs because it simply deposits (copies) files into the user's
profile path to which they have write access, and it will run from there
because the user had execute permissions there, too. The "install" is
simply a copy and it will run under that limited account. That the
payload cannot perform some functions doesn't prevent it from, say,
deleting all your files since the user under a limited account can do
that, too. Don't expect limited privileges to provide some magic bullet
against malware. It's just another layer of protection.
VanguardLH
> nik wrote:
>>
>> Wolfgang Kueter wrote:
>>>
>>> nik wrote:
>>>> but then hopw will I be able to install new application if iam on
>>>> LUA mode?
>>>
>>> Just the normal way: - log out as user - log in as administrator,
>>> install the software - log out as administrator - log in as user
>>> and use the software
>>
>> It will be a tedious task having each time iw ant to install an app
>> logging out and logging in again 4 times.
>
> "Fast User Switching" or "Run As..." come to mind ...
Providing the host has enough memory to accommodate leaving all the
processes running from the limited account so you can switch to another
admin-level account. Fast User Switching leaves all the processes
running. Plus is isn't just software installs for why users may need
to be logged under an admin-level account. Fast User Switching (FUS)
will add 10MB of memory consumption to each context (each active
account), and then there's the memory consumed by each application you
run in the other concurrent active account. That 10MB can vary widely
greatly depending on how many startup programs are loaded when you open
the other account through FUS (Startup folder, Run registry key,
winlogon events, and other startup locales in the registry); however,
you really shouldn't be loading much in your admin-level account but
even the security programs will consume memory.
There are also some applications that won't run under Fast User
Switching (because they won't run concurrently under multiple active
Windows accounts). Some clipboard manager utilities come to mind. They
weren't designed to have multiples of themself running as the same time,
especially under different accounts with different privileges
(policies). The were designed to run under an NT environment but not
under a multi-user environment. The user would have to ensure that such
programs did not get loaded on login for the admin-level account to
prevent the duplicity. Yeah, you could get rid of this software but it
might be something you really want or truly need to do your work. The
point of the computer is to do the tasks that you want. You pick your
applications based on your needs and then choose the OS. The other way
around has you selecting the OS and using its security features but
maybe losing critical applications because they won't work under
concurrent active accounts. You need the application first (to do your
required tasks), not the OS (which is just the plate on which you serve
the meal). Also, in the KB 294739 article below, you might have
installed (or you might later install) an app that interferes with Fast
User Switching (FUS). There have been many users that complained that
they were using FUS and then it stopped working. I believe another
reason FUS stops working is if the user enabled offline files
(http://support.microsoft.com/kb/307853). It is also possible to
programmatically enable/disable FUS or do it via a registry edit, which
means malware can do it, too.
There is also the problem of trying to share resources across the
multiple active accounts. An open file handle for a file in folder
could cause problems in the other account that wants to delete the
folder or have write permission to that file.
Remember that Fast User Switching is *not* available when connected to a
domain for Windows XP (it is available when on a domain when using
Vista). It is only available in a workgroup setting because it only
lets you switch between local accounts. nik never mentioned WHICH
version of Windows that he is using, or if he is logging onto a domain
or logging on locally (into a workgroup). Read
http://support.microsoft.com/?kbid=294739 and
http://windowsitpro.com/article/articleid/27402/under-what-conditions-is-fast-user-switching-available-in-windows-xp.html.
As I recall, if Fast User Switching is enabled, you're stuck having to
use the Fisher-Price Welcome Screen in order to select the other account
to switch to. This is one of the first tweaks I do after a WinXP
install to get rid of the Fisher-Price fluff crap. Note that you should
NEVER use the Administrator account even to do admin tasks. Always
create another admin-level account (i.e., in the Administrators group)
and use that one. If your Administrator profile gets corrupt and you
cannot load its desktop, you're screwed, so use a secondary admin-level
account and leave the Administrator account completely alone except in
case of extreme emergency. The Administrator account will disappear
from the Welcome Screen once you define another admin-level account (a
registry hack can put it back, or twice tap the Ctrl+Alt+Del key combo
to bring up the classic login screen).
When using the Welcome Screen, you divulge half your logon credentials
to anyone that can see that screen, like when letting other users use
your host (even when using their own accounts). Besides trying to get
my password, I'd also like to make they try getting my logon name.
Some users like to leave the password blank to their account for ease in
logging in although it removes a major security feature of NT-based
Windows. FUS requires that at least one of the accounts between which
you are switching has a non-blank password.
Be careful of locking yourself out of your accounts. A security policy
locks an account if too many unsuccessful logon attempts are executed
against an account. You can see these values in the group policy editor
(gpedit.msc) or local security policy editor (secpol.msc). If you are
the only user of your host, this probably won't happen. If you let
others share your host and they use FUS to try cycling to another
account and do it enough times then they could lockout your account(s).
If you share and use FUS, you might want to reconsider the current
settings for the lockout security policies (to shorten the lockout
period and the number of bad attempts). If you're on a domain, you
don't get to modify those policies that get pushed to your host (unless
you have an admin login on the domain that gives you privileges to your
own host to make registry edits using .reg files in your Startup
folder).
Many software installs that require admin privileges to complete will
also require a reboot. That means you will be slamming your other
account that you switched away from but which may still have
applications running and open files. Make sure to close all apps in the
other non-admin account before you permit the reboot for the install in
the admin account (hopefully the install will prompt for a reboot
instead of just doing it without permission).
I haven't bothered to investigate into any security vulnerabilities of
using Fast User Switching simply because I don't use it myself (i.e.,
for me, any vulnerabilities would be a non-issue).
There can be advantages to Fast User Switching. There can also be
disadvantages and pitfalls but if you can avoid them without losing any
tasks that you need to perform then it's one way to do most of your
tasks under a limited account and have an admin-level account within
easy reach.
Ansgar -59cobalt- Wiechers
> Ansgar wrote:
>> nik wrote:
>>> Wolfgang Kueter wrote:
>>>> nik wrote:
>>>>> but then hopw will I be able to install new application if iam on
>>>>> LUA mode?
>>>>
>>>> Just the normal way: - log out as user - log in as administrator,
>>>> install the software - log out as administrator - log in as user
>>>> and use the software
>>>
>>> It will be a tedious task having each time iw ant to install an app
>>> logging out and logging in again 4 times.
>>
>> "Fast User Switching" or "Run As..." come to mind ...
>
> Providing the host has enough memory to accommodate leaving all the
> processes running from the limited account so you can switch to
> another admin-level account. Fast User Switching leaves all the
> processes running. Plus is isn't just software installs for why users
> may need to be logged under an admin-level account. Fast User
> Switching (FUS) will add 10MB of memory consumption to each context
> (each active account), and then there's the memory consumed by each
> application you run in the other concurrent active account.
In a day and age where RAM is measured in GB rather than MB, and for a
system with only a single user like the OP seems to have, that's hardly
a problem.
[...]
> There are also some applications that won't run under Fast User
> Switching (because they won't run concurrently under multiple active
> Windows accounts). Some clipboard manager utilities come to mind.
> They weren't designed to have multiples of themself running as the
> same time, especially under different accounts with different
> privileges (policies). The were designed to run under an NT
> environment but not under a multi-user environment.
Don't use b0rken software. Problem solved.
[...]
> Note that you should NEVER use the Administrator account even to do
> admin tasks.
That's plain and utter nonsense. I'd like to see a single valid reason
for this ridiculous claim.
> Always create another admin-level account (i.e., in the Administrators
> group) and use that one. If your Administrator profile gets corrupt
> and you cannot load its desktop, you're screwed, so use a secondary
> admin-level account and leave the Administrator account completely
> alone except in case of extreme emergency.
Boot the recovery console, rename the administrator profile, reboot, log
in as administrator. A new profile will be created. Not that it were a
bad thing to have a backup admin account, it's just not necessary.
Ansgar -59cobalt- Wiechers
> Ansgar -59cobalt- Wiechers wrote:
>> VanguardLH <V...@nguard.lh> wrote:
>>> A process can be made to run under a LUA (limited user account) token.
>>> That is, the process will have the same privileges as that token. Since
>>> the token has the limitation of a standard user account, that process
>>> is also limited. But that only applies when you run that process under
>>> the limited environment. When using DropMyRights, SysInternals'
>>> psexec, or other such utilities that run the child process under
>>> limited privileges, only the process they start is limited. So if you
>>> use them to start the web browser, that instance of the web browser is
>>> limited and you get more protection.
>>
>> Since Microsoft has documented that the *desktop* not the process is the
>> security boundary with Windows, that's most definitely *not* what you
>> want to do. Instead you want to create an LUA, do your everyday work
>> with that account, and only switch to an admin account to do
>> administrative work.
>
> instance of explorer.exe) being the parent of all processes?
You didn't. And I never said you did. You missed my point.
> It can be. It might not. I said these utilities only limited the
> child process it starts and why they are NOT complete solutions if and
> only if you demand that all instances of a particular process be
> limited. The part you snipped out was were I mentioned that other
> solutions take care of limiting ALL instances of that program no
> matter how it was started. Some folks like it always protected (but
> might also want some means of temporarily disabling the protection) so
> the method of using a utility for those instances you want to protect
> is what they want. They don't want to use a limited Windows account.
> Some want all instances protected for only some programs but not all
> of them so the 3rd party utilities, like GeSWall, DefenseWall,
> Bufferzone, Sandboxie, SafeSpace, etc., let them default to limiting
> those processes but they still have an "out" when limiting the process
> makes it unusable.
>
> Please provide a references to that Microsoft documentation.
http://support.microsoft.com/default.aspx?scid=kb;en-us;327618
The article refers to system services, but of course the very same
applies to all interactive processes (read: processes with windows
attached to them) running with elevated privileges.
> The "desktop" is just explorer.exe handling it.
Ummm... yes, I am well aware that explorer.exe manages the desktop. I'm
also aware of how the default shell can be changed. However, that
doesn't change a single thing about how the window messaging system
works.
> You could, if you wanted to and found one that was usable, replace
> that desktop program with some 3rd party program. Securing the
> boundary of a process is how you secure it.
Unfortunately it's not that easy, since the Windows GUI adds another
method for IPC (sending messages between windows) that does not have any
security system at all (or, judging from the blog article you mentioned
below, did not have one before Vista). That leaves it up to each single
programmer to handle incoming messages, and Visual Studio's default is,
of course, to use the default handlers provided by Microsoft.
Apparently Vista introduced some kind of privilege separation there, so
Vista may be fine (assuming that this system is working in the first
place). However, if the OP uses XP or earlier (not sure if he does,
AFAICS he didn't mention his OS) that simply won't work.
nik gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:giulvo...@news.in-ulm.de...
>
> VanguardLH <V...@nguard.lh> wrote:
>> A process can be made to run under a LUA (limited user account) token.
>> That is, the process will have the same privileges as that token. Since
>> the token has the limitation of a standard user account, that process
>> is also limited. But that only applies when you run that process under
>> the limited environment. When using DropMyRights, SysInternals'
>> psexec, or other such utilities that run the child process under
>> limited privileges, only the process they start is limited. So if you
>> use them to start the web browser, that instance of the web browser is
>> limited and you get more protection.
>
> Since Microsoft has documented that the *desktop* not the process is the
> security boundary with Windows, that's most definitely *not* what you
> want to do.
I didn't understand these sentense. Can you please put it simpler?
> Instead you want to create an LUA, do your everyday work
> with that account, and only switch to an admin account to do
> administrative work.
But as an aswer to me in a previous post in this thread you said that
administrative tasks can be done with ease by selecting "Run as..." within a
LUA. Correct?
So, why switching back and forth from LUA to admin-level when he can do out
admin task within our LUA enviroment?
nik gr
Ο "VanguardLH" <V...@nguard.LH> έγραψε στο μήνυμα
news:giut1p$7ra$1...@news.motzarella.org...
> 1) Limited account + web browser
> 2) Admin account + web browser + LUA token
Very nice and straightforward comparisation.
> Same reduced privileges for both 1 and 2.
But PLUS extra functionality in case (2) where all admin tasks such
(install, update, remove.debug) can be performed with ease and without the
hassle of switchign back and forth to deifferent-level accounts.
> Also, running with reduced privileges is only one layer in malware
> protection. Don't expect it to protect you from all pests. Do you
> think Google Earth cannot be installed under a limited account? It
> installs because it simply deposits (copies) files into the user's
> profile path to which they have write access, and it will run from there
> because the user had execute permissions there, too. The "install" is
> simply a copy and it will run under that limited account. That the
> payload cannot perform some functions doesn't prevent it from, say,
> deleting all your files since the user under a limited account can do
> that, too. Don't expect limited privileges to provide some magic bullet
> against malware. It's just another layer of protection.
a) At that point can you please explain to me the GREATEST REASONS of
running under a windows limited account or running under LUA token under
admin account opposed of running as iam now, which is JUST PURE admin level?
I would be understanding this better if you can tell me in case of an
ypothetical infection of a malware (i.e.trojan horse) what this can do to an
admin level account that wouldn’t be able to do in a limited account.
Lets say the infection came place from firefox visiting an infected webpage.
b) One last thing folks I would like to ask is for example lest say I keep
using my admin account running my internet-facsing apps apps full
privileged.
Why do all the security stuff you mentioned when I have CPF installed on my
admin account which is eligible to notify me on EVERY malicious possible
action a malware that’s found its way into my system trying to perform?
If ti tried to put itself on winxp startup it will tell me about it and I
block it, same way if it tries to inject data to another proccess I will be
notified and block it, or if it tries to use windows services to abuse them
and hide it self I will also be notified to blcom it.
So ig I have such good protection with CPF why bother installing software
like DropMyRigths or 'psexec'? CPF is a tough cop and spy as to what happens
on my system and NOTHING WILL EVER BE INSTALLED OR DO SOEMTHIGN HARMUFULL
WITHOUT ME KNOWING ABOUT IT AND ALLOW IT?
Won't you agree with me?!
VanguardLH
Which also means the OS and apps will fill up more as there is more
available. Users still have to limit what they can concurrently have
running if they also want their host to remain responsive.
>> There are also some applications that won't run under Fast User
>> Switching (because they won't run concurrently under multiple active
>> Windows accounts). Some clipboard manager utilities come to mind.
>> They weren't designed to have multiples of themself running as the
>> same time, especially under different accounts with different
>> privileges (policies). The were designed to run under an NT
>> environment but not under a multi-user environment.
>
> Don't use b0rken software. Problem solved.
Not your choice. Sometimes no other choice is available to the user,
either. Again, you first choose the apps that do your tasks. The OS is
secondary and consequential to the apps that you must use. So are you
going to pay another $20,000 for some other somewhat but not exactly
equivalent vertical app that was coded specifically to your small
company's needs when the programmer is no longer around to recode that
old software to rewrite a new version from scratch?
Apps first, OS second.
>> Note that you should NEVER use the Administrator account even to do
>> admin tasks.
>
> That's plain and utter nonsense. I'd like to see a single valid reason
> for this ridiculous claim.
The part you chose to deliberately snip out gave the reason. The
solution you provide below regarding the cause that you snipped out may
not be an option at the time the problem occurs.
> Boot the recovery console, rename the administrator profile, reboot, log
> in as administrator. A new profile will be created. Not that it were a
> bad thing to have a backup admin account, it's just not necessary.
The vast number of users do NOT install the Recovery Console (.dat image
file) to have it easily available as a boot-time selection. They have
to go hunting for their install CD - if they have one since many
pre-builts only include a recovery CD with an image or no CD at all and
the recovery image is in a hidden hard disk partition, and for both are
not usable for booting to the Recovery Console. Also, if the user has
SATA drives, they then have to go hunting for a floppy on which they
have previously stored the SATA drivers and then remember to hit F6 at
the start of the load of the Recovery Console.
Most users don't even do backups whether logical file backups or image
backups. And you think they're going to have the Recovery Console
setup? Uh huh.
VanguardLH
> VanguardLH <V...@nguard.lh> wrote:
>>
>> Please provide a references to that Microsoft documentation.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;327618
Thanks for the info. Regarding services, my recollection is that you
always had to design them to be non-interactive; otherwise, they could
hang waiting for human intervention that never occurs. Back when we QA
folks (not programmers per se) had to convert a program into a service
using srvany, one of the requirements was that the program must not have
any UI and require no human intervention. Of the security products that
I've tested, some use a service but have a separate UI app to control
its configuration or behavior.
Regarding the messaging system between windows, that's what the
application virtualization, sandboxing, or isolation security product is
supposed to be controlling or restricting between the red (isolated) and
green (non-isolated) processes.
>> You could, if you wanted to and found one that was usable, replace
>> that desktop program with some 3rd party program. Securing the
>> boundary of a process is how you secure it.
>
> Unfortunately it's not that easy, since the Windows GUI adds another
> method for IPC (sending messages between windows) that does not have any
> security system at all (or, judging from the blog article you mentioned
> below, did not have one before Vista). That leaves it up to each single
> programmer to handle incoming messages, and Visual Studio's default is,
> of course, to use the default handlers provided by Microsoft.
That I didn't know. Thanks for the info. My reading of the isolation
security apps that I was interested in was that they do control the
window messaging between red and green apps.
VanguardLH
> Ο "VanguardLH" <V...@nguard.LH> έγραψε στο μήνυμα
> news:giut1p$7ra$1...@news.motzarella.org...
>
>> 1) Limited account + web browser
>> 2) Admin account + web browser + LUA token
>
> Very nice and straightforward comparisation.
>
>> Same reduced privileges for both 1 and 2.
>
> But PLUS extra functionality in case (2) where all admin tasks such
> (install, update, remove.debug) can be performed with ease and without the
> hassle of switchign back and forth to deifferent-level accounts.
Just to be sure, I'm just presenting an alternate to having to bounce
back and forth between admin and non-admin accounts. For the majority
of users, the blanket statement to do your work under a non-admin
account is still good advice. It's just not advice that is usable by
all users but for them they need to add more security than what they get
just with Windows.
> a) At that point can you please explain to me the GREATEST REASONS of
> running under a windows limited account or running under LUA token under
> admin account opposed of running as iam now, which is JUST PURE admin level?
While LUA gives added security, it not a panacea. However, it may
eliminate the need to be installing and running more security software
that can cause conflicts between themselves, consumes more memory and
CPU cycles, and overly restrict wanted behavior in applications than
what would occur under a LUA. There is a lot of security software out
there using different protection techniques and a lot of it doesn't work
with each other. Trying to find a entire security suite that is all
compatibile is something akin to alchemy, and what works today might not
work tomorrow due to version changes that alters compatibility.
> I would be understanding this better if you can tell me in case of an
> ypothetical infection of a malware (i.e.trojan horse) what this can do to an
> admin level account that wouldn’t be able to do in a limited account.
>
> Lets say the infection came place from firefox visiting an infected webpage.
>
> b) One last thing folks I would like to ask is for example lest say I keep
> using my admin account running my internet-facsing apps apps full
> privileged.
>
> Why do all the security stuff you mentioned when I have CPF installed on my
> admin account which is eligible to notify me on EVERY malicious possible
> action a malware that’s found its way into my system trying to perform?
The HIPS (Defense+) portion of CFP might prompt when it sees the small
payload delivered by a buffer overrun (assuming the app was allowed to
continue running upon the detected buffer overrun which SafeSurf is
supposed to catch). You would have to allow that code to load and run
by answering OK to the prompt. However, since the payload is running
within the same process or as a child of it, and since you permitted the
parent app to load (it's something you do want to run) then you might
not get a prompt. Back in version 2 of CFP, you could have it alert
when a parent wanted to start a child process. I don't recall if they
carried that forward to version 3. It isn't available in Online Armor.
I do know that when you okay a process, and if you have it in Paranoia
mode, that any additional behaviors detected later for the same app will
get prompted and it'll be up to you to figure out at that time if you
want to allow the additional behaviors. The problem here is that an app
may not exercise all its behaviors during your initial use of it, so as
you continue using the app then CFP will alert when you later trigger
the additional behaviors in that app. That's why HIPS, especially at an
extreme alert level, can be daunting to the typical user to figure out
how to properly configure for a good app. Both Comodo and OA provide
whitelists for many known good apps to reduce this prompting but CFP
doesn't use them in its paranoia mode (because that mode is what you
selected to have it prompt you about every behavior).
> If ti tried to put itself on winxp startup it will tell me about it and I
> block it, same way if it tries to inject data to another proccess I will be
> notified and block it, or if it tries to use windows services to abuse them
> and hide it self I will also be notified to blcom it.
>
> So ig I have such good protection with CPF why bother installing software
> like DropMyRigths or 'psexec'? CPF is a tough cop and spy as to what happens
> on my system and NOTHING WILL EVER BE INSTALLED OR DO SOEMTHIGN HARMUFULL
> WITHOUT ME KNOWING ABOUT IT AND ALLOW IT?
Answering all the prompts in paranoia mode can waste more time than you
want to spend. After all, the point of your computing platform is to
get your tasks done, not to tweak the OS and security programs trying to
harden that OS. I've gone that route where I had trialed many security
products trying to achieve the most secure Windows that I could have but
the performance and resource impact was too great, responsiveness of the
host was reduced, and I got tired of doing what seemed more work
securing the OS and apps than of actually using them. Too much security
is itself an interference - and, to some degree, also achieves what the
malware author intended: you spend inordinate resources trying to
protect yourself. Like terrorists, even if they don't attack, they
still get some satisfaction from your fear and all your efforts to
protect yourself.
There's ultimate protection. And then there's good-enough protection.
Do you everyday wear a Kevlar vest, pants, and bullet-resistant helmet
based on the premise that maybe one day someone shoots at you? Not even
SWAT does that. Trying to come up with a "flavor" for a security suite
for everyone just ain't gonna happen. Some are more paranoid than
others. Some users are more thoughtful or educated regarding their use
of their host. Some want someone else to come up with hardcoded
expertise instead of them figuring it out. Even what I like today might
not be what I like tomorrow for my security suite.
Based just on your original question, is CFP good, yes, it is. It is
all that you will need? No, especially in regards to its antivirus
component. How much more do you need? Depends on how badly you want to
choke your system. Over time, I end up with security products that I
eventually decide are beyond my comfort level. Besides, I'm willing to
flatten my host and do a fresh install of the OS and apps if need be,
plus I do incremental image backups that let me snapshot back to before
the infection. I don't spend more than a couple evenings trying to
disinfect my host since that's how long it would take me to rebuild it
(and even shorter for restores).
Security is nice but don't get too carried away with it.
Ansgar -59cobalt- Wiechers
> Ansgar -59cobalt- Wiechers wrote:
>> VanguardLH <V...@nguard.lh> wrote:
>>> Providing the host has enough memory to accommodate leaving all the
>>> processes running from the limited account so you can switch to
>>> another admin-level account. Fast User Switching leaves all the
>>> processes running. Plus is isn't just software installs for why
>>> users may need to be logged under an admin-level account. Fast User
>>> Switching (FUS) will add 10MB of memory consumption to each context
>>> (each active account), and then there's the memory consumed by each
>>> application you run in the other concurrent active account.
>>
>> In a day and age where RAM is measured in GB rather than MB, and for
>> a system with only a single user like the OP seems to have, that's
>> hardly a problem.
>
> Which also means the OS and apps will fill up more as there is more
> available. Users still have to limit what they can concurrently have
> running if they also want their host to remain responsive.
If you want that you're not using Vista in the first place. Did you ever
take a look at the ridiculous hardware requirements?
>>> There are also some applications that won't run under Fast User
>>> Switching (because they won't run concurrently under multiple active
>>> Windows accounts). Some clipboard manager utilities come to mind.
>>> They weren't designed to have multiples of themself running as the
>>> same time, especially under different accounts with different
>>> privileges (policies). The were designed to run under an NT
>>> environment but not under a multi-user environment.
>>
>> Don't use b0rken software. Problem solved.
>
> Not your choice.
Of course everyone is free to ignore the solution to their problem. They
just shouldn't come complaining afterwards.
> Sometimes no other choice is available to the user, either.
And most of the time (virtually all of the time actually) it's just a
lame excuse because the user/sysadmin is too lazy to find or switch to a
replacement that doesn't have the disadvantages.
[...]
>>> Note that you should NEVER use the Administrator account even to do
>>> admin tasks.
>>
>> That's plain and utter nonsense. I'd like to see a single valid
>> reason for this ridiculous claim.
>
> The part you chose to deliberately snip out gave the reason. The
> solution you provide below regarding the cause that you snipped out
> may not be an option at the time the problem occurs.
Actually I didn't snip out anything. It was *you* who snipped the
still-in-place quote the lines below refer to.
>> Boot the recovery console, rename the administrator profile, reboot,
>> log in as administrator. A new profile will be created. Not that it
>> were a bad thing to have a backup admin account, it's just not
>> necessary.
>
> The vast number of users do NOT install the Recovery Console (.dat
> image file) to have it easily available as a boot-time selection.
So? The recovery console can be booted from the Windows CD/DVD.
> They have to go hunting for their install CD -
So? They'll have to do the very same thing everytime they want to
install some of the bundled software. Or have to reinstall their system
because it's FUBAR. Which'll probably happen a *lot* more frequent than
the admin profile getting damaged to a point where the admin cannot log
in anymore. Or at least that's my experience over the past 10 years.
> if they have one since many pre-builts only include a recovery CD with
> an image or no CD at all and the recovery image is in a hidden hard
> disk partition, and for both are not usable for booting to the
> Recovery Console.
For those who are stuck with dysfunctional boot media the approach with
redundant admin accounts may be the only reasonable option, I'll agree
with you on that. However, I don't feel sorry for anyone who allowed the
industry to screw them that much. Do not buy systems without proper
install media. Period.
> Also, if the user has SATA drives, they then have to go hunting for a
> floppy on which they have previously stored the SATA drivers and then
> remember to hit F6 at the start of the load of the Recovery Console.
If the system was installed on a SATA drive with the controller in
native mode, they should either have a floppy with the driver, or they
should have the driver slipstreamed into a custom install CD/DVD. BTDT.
And yes, that's the reasonable thing to do, because you'll need it
anyway in case you have to re-install the system.
If the system was installed on a SATA drive with the controller in
legacy mode, you don't have this problem at all.
> Most users don't even do backups whether logical file backups or image
> backups.
And that's a good thing how?
> And you think they're going to have the Recovery Console setup?
If they have a Windows CD/DVD, they do have the Recovery Console.
Period. Besides, installing the recovery console is just as easy as
creating an additional admin account. If you can do one, you can do the
other. So why not just do it properly in the first place?
Ansgar -59cobalt- Wiechers
> a) At that point can you please explain to me the GREATEST REASONS of
> running under a windows limited account or running under LUA token
> under admin account opposed of running as iam now, which is JUST PURE
> admin level?
Compromising one account won't compromise the entire system. Also
malware running with limited privileges won't be able to install a
rootkit to hide its presence. What more reason do you need?
[...]
> Why do all the security stuff you mentioned when I have CPF installed
> on my admin account which is eligible to notify me on EVERY malicious
> possible action a malware that's found its way into my system trying
> to perform?
Despite any claims the manufacturer may or may not have made in this
respect, that's simply not possible.
Ask yourself:
a) How would a program manage to detect every possible kind of malware?
b) How would a program manage to reliably distinguish between user
actions and actions carried out by some software in place of the
user?
The answer to both questions is, of course, very simple: it can't.
> If ti tried to put itself on winxp startup it will tell me about it
> and I block it, same way if it tries to inject data to another
> proccess I will be notified and block it, or if it tries to use
> windows services to abuse them and hide it self I will also be
> notified to blcom it.
If the program were to intercept every possible kind of communication a
malware might abuse, you'd be flooded with notifications, because other
(legitimate) programs use the very same mechanisms. That's simply not
feasible.
> So ig I have such good protection with CPF why bother installing
> software like DropMyRigths or 'psexec'? CPF is a tough cop and spy as
> to what happens on my system and NOTHING WILL EVER BE INSTALLED OR DO
> SOEMTHIGN HARMUFULL WITHOUT ME KNOWING ABOUT IT AND ALLOW IT?
Your delusions notwithstanding no software is capable to guarantee that.
And you simply won't notice if some malware slips by undetectedly. In
which case your entire system will be compromised.
Ansgar -59cobalt- Wiechers
> "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> wrote:
>> VanguardLH <V...@nguard.lh> wrote:
>>> A process can be made to run under a LUA (limited user account)
>>> token. That is, the process will have the same privileges as that
>>> token. Since the token has the limitation of a standard user
>>> account, that process is also limited. But that only applies when
>>> you run that process under the limited environment. When using
>>> DropMyRights, SysInternals' psexec, or other such utilities that run
>>> the child process under limited privileges, only the process they
>>> start is limited. So if you use them to start the web browser, that
>>> instance of the web browser is limited and you get more protection.
>>
>> Since Microsoft has documented that the *desktop* not the process is
>> the security boundary with Windows, that's most definitely *not* what
>> you want to do.
>
> I didn't understand these sentense. Can you please put it simpler?
No.
>> Instead you want to create an LUA, do your everyday work with that
>> account, and only switch to an admin account to do administrative
>> work.
>
> But as an aswer to me in a previous post in this thread you said that
> administrative tasks can be done with ease by selecting "Run as..."
> within a LUA. Correct?
> So, why switching back and forth from LUA to admin-level when he can
> do out admin task within our LUA enviroment?
My wording was probably misleading here. Sorry. I meant "switching" in a
broader context here. Not only logging off and back on with an admin
account, but also by using FUS or executing a program via "Run As..."
under an admin account.
However, RunAs is only a workaround, because programs will share the
same desktop, meaning they may be susceptible to something like shatter
attacks carried out by malware running with reduced privileges. The
advantage is, that you limit the time programs with elevated privileges
are exposed. The better (more secure) way is to log off, log on as an
admin to do your admin tasks, then log off and back on with your normal
user account. Yes, that's not necessarily convinient.
With Vista Microsoft seems to have introduced some additional kind of
access control, so that shatter attacks may not be an actual problem
in this scenario anymore. However, I don't know enough about this new
system to make any statement about its reliability. Conservative
approaches like logging off and back on are virtually always the safest
bet when it comes to security.
VanguardLH
> As for a browser iam currently using Google's Chrome.
Before using Chrome, you want to Google around regarding its security.
It has features to improve security but then there are gotchas, like:
http://notechie.com/google-chrome-inserted-keylogger/
http://jischinger.wordpress.com/2008/11/16/google-chrome-a-keylogger-privacy-concerns/
Remember that Google wants to collect as much information as they can.
In the copy of Chrome that I installed to trial it inside a virtual
machine, the "Use a Suggestion Search" is no longer there as an option
when editing search engines (as noted in the 2nd article above). It's
been moved to under Options (click on the wrench toolbar icon to get at
Options).
nik gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gj0k91...@news.in-ulm.de...
> Ask yourself:
>
> a) How would a program manage to detect every possible kind of malware?
> b) How would a program manage to reliably distinguish between user
> actions and actions carried out by some software in place of the
> user?
>
> The answer to both questions is, of course, very simple: it can't.
a) Of course CPF it cant detect every possible kind of malware but it can
analyse the behaviour of a weird executable that is trying to meddle with
windows itself by means of gain ing access to specific system services or
creating hooks or using shared dlls. The moment such thing might occur then
CPF will alert me to react to these actions by allowing them or block them
b) Same as answer (a). CPF can't tell if I made an action or some trojan
did. But by analysing the nature of the action, its behaviour, as in what it
tries to mess with it will notify me for the event taken place.
>> If ti tried to put itself on winxp startup it will tell me about it
>> and I block it, same way if it tries to inject data to another
>> proccess I will be notified and block it, or if it tries to use
>> windows services to abuse them and hide it self I will also be
>> notified to blcom it.
>
> If the program were to intercept every possible kind of communication a
> malware might abuse, you'd be flooded with notifications, because other
> (legitimate) programs use the very same mechanisms. That's simply not
> feasible.
I would be flooded with notification only by non-valid windows
component/applications tryign to perform trickery, legitimate windows
service wont be filling me with pop up alerts.
I still aint convince of why CPF by itslef aint enough for protecting me
since it seems it can understand all the mechanism an app can use to alter
data on my system or to create communication paths.
Personally I feel pretty safe with CPF.
nik gr
Ο "VanguardLH" <V...@nguard.LH> έγραψε στο μήνυμα
news:gj3l4f$r10$1...@news.motzarella.org...
Great! We finally came to the day when everythign we type is recorded by our
browser and then sent away to various other 3rd party analysers.
IE 8 will incorporate that function too.
Safety no more for ppl then. Firefox will embed such keylogger actions to
iself as well?
What will we be using then if all companies do the same?
Perhaps learn C++ and program a browser of our own?!
Very sad....
nik gr
Ο "Volker Birk" <bum...@dingens.org> έγραψε στο μήνυμα
news:girjb3...@news.in-ulm.de...
>
> nik <niko...@gmail.com> wrote:
>> I recently installed Comodo Internet Security and I would like to know
>> your
>> opinion on this application and how trustworthy it is.
>
> You don't need a "Personal Firewall".
Okey, perhaps you want to tell me why and how will I keep being aware of
what happenign to my system when a malware tries to compromise it, in case I
get infected?
Routers and hardware firewalls wotn save my ass when windows get infected
and malware nest in my system creating outgoing connection to download some
more malstuff and update themselves.....
Ansgar -59cobalt- Wiechers
>>
>> a) How would a program manage to detect every possible kind of malware?
>> b) How would a program manage to reliably distinguish between user
>> actions and actions carried out by some software in place of the
>> user?
>>
>> The answer to both questions is, of course, very simple: it can't.
>
> a) Of course CPF it cant detect every possible kind of malware but it
> can analyse the behaviour of a weird executable that is trying to
> meddle with windows itself by means of gain ing access to specific
> system services or creating hooks or using shared dlls. The moment
> such thing might occur then CPF will alert me to react to these
> actions by allowing them or block them
When running with admin priviles, any program can do anything on your
system. Period. That's what administrative privileges mean. That
includes of course terminating Comodo before doing anyting else. If the
program can't do that, it doesn't have admin privileges anymore. And
neither do you.
Stripping an admin account of its admin privileges instead of simply
using an account with limited privileges is plain stupid.
> b) Same as answer (a). CPF can't tell if I made an action or some
> trojan did. But by analysing the nature of the action, its behaviour,
> as in what it tries to mess with it will notify me for the event taken
> place.
Same answer as a): no.
You. Cannot. Restrict. Administrators. Period.
Not without demoting them from being administrators that is.
>>> If ti tried to put itself on winxp startup it will tell me about it
>>> and I block it, same way if it tries to inject data to another
>>> proccess I will be notified and block it, or if it tries to use
>>> windows services to abuse them and hide it self I will also be
>>> notified to blcom it.
>>
>> If the program were to intercept every possible kind of communication
>> a malware might abuse, you'd be flooded with notifications, because
>> other (legitimate) programs use the very same mechanisms. That's
>> simply not feasible.
>
> I would be flooded with notification only by non-valid windows
> component/applications tryign to perform trickery, legitimate windows
> service wont be filling me with pop up alerts.
Since we already agreed that Comodo can't distinguish between what is
and isn't legitimate: of course you will. Otherwise you'll get false
negatives.
> I still aint convince of why CPF by itslef aint enough for protecting
> me since it seems it can understand all the mechanism an app can use
> to alter data on my system or to create communication paths.
For whatever reason you want to believe that.
> Personally I feel pretty safe with CPF.
Feeling safe is not quite the same as being safe.
VanguardLH
> "VanguardLH" wrote ...
>>
>> nik wrote:
>>
>>> As for a browser iam currently using Google's Chrome.
>>
>> Before using Chrome, you want to Google around regarding its security.
>> It has features to improve security but then there are gotchas, like:
>>
>> http://notechie.com/google-chrome-inserted-keylogger/
>> http://jischinger.wordpress.com/2008/11/16/google-chrome-a-keylogger-privacy-concerns/
>>
>> Remember that Google wants to collect as much information as they can.
>> In the copy of Chrome that I installed to trial it inside a virtual
>> machine, the "Use a Suggestion Search" is no longer there as an option
>> when editing search engines (as noted in the 2nd article above). It's
>> been moved to under Options (click on the wrench toolbar icon to get at
>> Options).
>
> Great! We finally came to the day when everythign we type is recorded by our
> browser and then sent away to various other 3rd party analysers.
It's very similar to Google's Toolbar and its "advanced" functions of
PageRank and PageInfo. You have the option to disable those so your URL
clicks don't have you going through their servers to track your use of
Google's match results. I don't remember what the default setting was
for their toolbar for these features. The default for Chrome is to
track your searches. Many folks still use the Google Toolbar but those
that realize the privacy implication of PageRank and PageInfo will turn
those options off.
> IE 8 will incorporate that function too.
Yep, but the default after the IE8 install is OFF. I don't know if
there is any warning regarding privacy considerations when the user
chooses to turn this option on - but then there's Google searching
(which can even be a bane at times to Google regarding their own
products and intent).
> Firefox will embed such keylogger actions to
> iself as well?
I really doubt it. However, Mozilla does gets its funding from Google.
Things could change.
http://news.cnet.com/8301-13739_3-9776759-46.html
> What will we be using then if all companies do the same?
Lynx (a highly simplistic text-only web browser). ;-> nyuk nyuk nyuk
You have to remember that Google didn't create Chrome to be the best or
even a better web browser. They built it to accommodate their web apps.
They needed Javascript to be faster (to compile it instead of interpret
it) to make those webapps faster and more alluring. They needed
multimedia content to render faster for the same reasons. Google's aim
is not to replace FF or IE but to use their webapps to replace
Microsoft's Office. Chrome gives Google a better platform for their
webapps.
As for security, with their Google Earth and now with Google Chrome,
Google has exhibited a dislike for software installation control over
their own products. They want even limited users to be able to alter
the software configuration of whatever host on which they are allowed to
login. Both products "install" (copy) their files under the
%userprofile% path where the user has full permissions, and that
includes the Execute permission. So by dumping their files under the
user's profile path they eliminate the restrictions imposed for normal
software installs or access to the %programfiles% path. While it is
possible to remove the Execute permission from your profile folder (and
for all other account profiles) and propagate the reduction to all child
folders under the assumption that %userprofile% should only be for data
files (documents, configs, logs) and %programfiles% the default locale
for programs, I'm not sure what the impact would be by doing so, plus if
Google can't install there where they know the user has both read/write
and execute permissions then they might just figure out some other
locale to dump their files where the user does those same permissions
(because %programfiles% may be restricted to that user write
permission).
Google isn't the warm fuzzy companion you might think. They have their
goals and are a business that wants to stay in business.
VanguardLH
Once infected, the firewall (and just the firewall) won't help you
recover or protect your system. Firewalls are to regulate traffic
between hosts, like prevented unsolicited intrusions. You can also use
them with app rules to regulate which [good and many malware] apps can
connect out from your host to where they can connect. Since they are
software running on your host, they can be thwarted but most good
software firewalls also have a kernel-level component to prevent most
types of compromise. Don't expect a firewall to protect you from
infection. After all, when you choose to download the file or execute
it in an e-mail, your firewall is powerless. For an exploit that uses a
buffer overrun to deliver a tiny payload (that then goes out to get the
rest of the malware), you've already told your firewall in its app rules
to allow the web browser to connect and transfer that payload. However,
CFP is not just a firewall so the arguments against software firewalls,
in general, is not directly applicable. CFP also has its SafeSurf (aka
Comodo Memory Firewall) to guard against buffer overruns. It also
contains its HIPS function that lets you regulate which file is allowed
to load into memory and execute from there (whether you rely on their
whitelist or go paranoid and make all decisions yourself). It includes
heuristics for behavioral analysis to detect malicious behavior. It
isn't JUST a firewall but its product name usually engenders the same
staid arguments against old and simplistic firewalls and that they are
NOT to protect against infection except merely as a consequence of your
configuration of them with app rules which is only a simplistic form of
protection itself (and why HIPS goes beyond just deciding which file can
load to run but also what actions it is allow to perform). Alas, the
problem with HIPS is that you, the user, have to understand what the
prompts mean - so, again, it still comes down to the USER as the primary
infection vector into a host. Also, while HIPS let you decide just what
is allowed to load and what a process can do, that still doesn't equate
to limiting privileges on that process (most actions that you regulate
via HIPS are not exactly the same as what limiting privileges does
although there can be quite a bit of overlap).
Perhaps Ansgar and Volker would like to elucidate on they DO use for
security software on their own hosts. Not just what upstream appliances
they may employ in a more-corporate-like environment but what, say, they
use themselves at home or on their laptop (when it roams).
nik gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gj3os2...@news.in-ulm.de...
>
> nik gr <niko...@gmail.com> wrote:
>> "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> wrote:
>>> Ask yourself:
>>>
>>> a) How would a program manage to detect every possible kind of malware?
>>> b) How would a program manage to reliably distinguish between user
>>> actions and actions carried out by some software in place of the
>>> user?
>>>
>>> The answer to both questions is, of course, very simple: it can't.
>>
>> a) Of course CPF it cant detect every possible kind of malware but it
>> can analyse the behaviour of a weird executable that is trying to
>> meddle with windows itself by means of gain ing access to specific
>> system services or creating hooks or using shared dlls. The moment
>> such thing might occur then CPF will alert me to react to these
>> actions by allowing them or block them
>
> When running with admin priviles, any program can do anything on your
> system. Period. That's what administrative privileges mean. That
> includes of course terminating Comodo before doing anyting else. If the
> program can't do that, it doesn't have admin privileges anymore. And
> neither do you.
No it can't, because firewalls are there to block those actions.
If you don't believe that then why don't you remove your firewall from your
system?
By your sayign its crap. Any malware with admin rights can shit it down as
you say. Then why bother?
Perosnally I believe CPF has mechanisms to prevent this.
> Stripping an admin account of its admin privileges instead of simply
> using an account with limited privileges is plain stupid.
Who said anythign about stripping admin accounts from admin rights? How many
drink did you have?
>> b) Same as answer (a). CPF can't tell if I made an action or some
>> trojan did. But by analysing the nature of the action, its behaviour,
>> as in what it tries to mess with it will notify me for the event taken
>> place.
>
> Same answer as a): no.
>
> You. Cannot. Restrict. Administrators. Period.
>
> Not without demoting them from being administrators that is.
Again, what are you talking about?
Questions here is whether the fw can distinguish if an action is made by
user or a trojan.
>>>> If ti tried to put itself on winxp startup it will tell me about it
>>>> and I block it, same way if it tries to inject data to another
>>>> proccess I will be notified and block it, or if it tries to use
>>>> windows services to abuse them and hide it self I will also be
>>>> notified to blcom it.
>>>
>>> If the program were to intercept every possible kind of communication
>>> a malware might abuse, you'd be flooded with notifications, because
>>> other (legitimate) programs use the very same mechanisms. That's
>>> simply not feasible.
>>
>> I would be flooded with notification only by non-valid windows
>> component/applications tryign to perform trickery, legitimate windows
>> service wont be filling me with pop up alerts.
>
> Since we already agreed that Comodo can't distinguish between what is
> and isn't legitimate: of course you will. Otherwise you'll get false
> negatives.
When did I agree that Comodo can't distinguish between what is
and what isn't legitimate?
Not only I agree, but I strongly disagree.
Comodo know about which apps are windows components and has them on white
lists internally. It only asks questions fot all other apps including
trojans.
>> I still aint convince of why CPF by itslef aint enough for protecting
>> me since it seems it can understand all the mechanism an app can use
>> to alter data on my system or to create communication paths.
>
> For whatever reason you want to believe that.
>
>> Personally I feel pretty safe with CPF.
>
> Feeling safe is not quite the same as being safe.
And how exactly do you distinguish between the two modes regarding your
security?
nik gr
Ο "VanguardLH" <V...@nguard.LH> έγραψε στο μήνυμα
news:gj43lq$bcc$1...@news.motzarella.org...
iam not expecting CPF to remove the infection from my host but I DO expect
the malware within my system to be disfunctional because any action it migth
want to execute thas messes with the OS I expect the fw to notify me about
it and then I will block it.
So perhaps I will be infected by something but CPF wont allow it to make any
hurm because I will block any strange attempt I'll see.
Volker just said "Tou don't need a fw" and that all?
No justification for his claim?
WELL SHOULD WE OR SHOULD WE NOT USE PERSONAL FIREWALLS?!
OPINIONS DIFFER AS I SEE BUT ON THE OTHER HAND HARDWARE FIREWALLS ARENT
EVERYTHING.
Ansgar -59cobalt- Wiechers
> "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> wrote:
>> nik gr <niko...@gmail.com> wrote:
>>> "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> wrote:
>>>> Ask yourself:
>>>>
>>>> a) How would a program manage to detect every possible kind of malware?
>>>> b) How would a program manage to reliably distinguish between user
>>>> actions and actions carried out by some software in place of the
>>>> user?
>>>>
>>>> The answer to both questions is, of course, very simple: it can't.
>>>
>>> a) Of course CPF it cant detect every possible kind of malware but it
>>> can analyse the behaviour of a weird executable that is trying to
>>> meddle with windows itself by means of gain ing access to specific
>>> system services or creating hooks or using shared dlls. The moment
>>> such thing might occur then CPF will alert me to react to these
>>> actions by allowing them or block them
>>
>> When running with admin priviles, any program can do anything on your
>> system. Period. That's what administrative privileges mean. That
>> includes of course terminating Comodo before doing anyting else. If the
>> program can't do that, it doesn't have admin privileges anymore. And
>> neither do you.
>
> No it can't, because firewalls are there to block those actions.
Again, they can't do that reliably.
> If you don't believe that then why don't you remove your firewall from
> your system?
Why would I remove something I haven't installed in the first place?
> By your sayign its crap. Any malware with admin rights can shit it
> down as you say. Then why bother?
Exactly.
> Perosnally I believe CPF has mechanisms to prevent this.
Security is not a religion. This is about knowing, not about believing.
And I can assure you that Comodo cannot have mechanisms to prevent this,
unless it strips your admin account of its admin privileges.
>> Stripping an admin account of its admin privileges instead of simply
>> using an account with limited privileges is plain stupid.
>
> Who said anythign about stripping admin accounts from admin rights?
I did. Because that is the only way the program could ristrict software
running with admin privileges from doing whatever it pleases.
> How many drink did you have?
Unlike you I happen to know what I'm talking about.
>>> b) Same as answer (a). CPF can't tell if I made an action or some
>>> trojan did. But by analysing the nature of the action, its behaviour,
>>> as in what it tries to mess with it will notify me for the event taken
>>> place.
>>
>> Same answer as a): no.
>>
>> You. Cannot. Restrict. Administrators. Period.
>>
>> Not without demoting them from being administrators that is.
>
> Again, what are you talking about?
About your claim that Comodo could restrict software being run under
your admin account.
> Questions here is whether the fw can distinguish if an action is made
> by user or a trojan.
That is one of the questions. It is by no means the only question. Even
if a program could distinguish between good and malicious actions (which
it can't): what good would that do, if malware could simply terminate
the program trying to detect malicious actions? Yes, programs running
with admin privileges can do that, whether you like that fact or not.
>>>>> If ti tried to put itself on winxp startup it will tell me about
>>>>> it and I block it, same way if it tries to inject data to another
>>>>> proccess I will be notified and block it, or if it tries to use
>>>>> windows services to abuse them and hide it self I will also be
>>>>> notified to blcom it.
>>>>
>>>> If the program were to intercept every possible kind of
>>>> communication a malware might abuse, you'd be flooded with
>>>> notifications, because other (legitimate) programs use the very
>>>> same mechanisms. That's simply not feasible.
>>>
>>> I would be flooded with notification only by non-valid windows
>>> component/applications tryign to perform trickery, legitimate
>>> windows service wont be filling me with pop up alerts.
>>
>> Since we already agreed that Comodo can't distinguish between what is
>> and isn't legitimate: of course you will. Otherwise you'll get false
>> negatives.
>
> When did I agree that Comodo can't distinguish between what is and
> what isn't legitimate?
>
> Not only I agree, but I strongly disagree.
Oh, really? You may want to explain then, how Comodo might do that
trick.
> Comodo know about which apps are windows components and has them on
> white lists internally. It only asks questions fot all other apps
> including trojans.
That true? Do you know how those whitelists are implemented? Do they go
by name? With or without path? Hash? Which algorithm? How do they deal
with updates? How do they protect against malicious "updates"? Not to
mention that Windows' system files are the least of your problems,
because they're digitally signed by Microsoft anyway, so you can simply
check their integrity yourself with sigverif.exe.
Did you ever notice that the majority of the programs installed on most
systems does not come from Microsoft, but some third party? Meaning that
you'd still be flooded with notifications.
Do you have even the slightest understanding of what's going on on your
system? Have you ever run Regmon or Filemon? Have you ever run TCPView
or netstat? Have you ever inspected actual network communication with a
protocol analyzer like Wireshark? Do you understand how IPC through
window messages works? Do you have anything but your religious belief
that Comodo will fix things for you?
>>> I still aint convince of why CPF by itslef aint enough for protecting
>>> me since it seems it can understand all the mechanism an app can use
>>> to alter data on my system or to create communication paths.
>>
>> For whatever reason you want to believe that.
>>
>>> Personally I feel pretty safe with CPF.
>>
>> Feeling safe is not quite the same as being safe.
>
> And how exactly do you distinguish between the two modes regarding your
> security?
By avoiding risks in the first place. By taking an actual look at what's
going on on the system myself. From an admin account that is unlikely to
be compromised, because day-to-day work is done from an account with
limited rights. Or by booting a clean system to check the potentially
compromised system. By inspecting the network traffic (with some other
system) and deciding for myself what traffic is or isn't valid. A
program cannot make this decision for you.
Ansgar -59cobalt- Wiechers
> Perhaps Ansgar and Volker would like to elucidate on they DO use for
> security software on their own hosts. Not just what upstream
> appliances they may employ in a more-corporate-like environment but
> what, say, they use themselves at home or on their laptop (when it
> roams).
I don't provide services I don't want to provide.
I don't install software I don't trust.
I use admin accounts only for admin tasks.
I use normal user accounts for everything else.
I keep all of the software on my systems up to date.
Nik Gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gj5icu...@news.in-ulm.de...
> That is one of the questions. It is by no means the only question. Even
> if a program could distinguish between good and malicious actions (which
> it can't): what good would that do, if malware could simply terminate
> the program trying to detect malicious actions? Yes, programs running
> with admin privileges can do that, whether you like that fact or not.
If what you say stands TRUE, especially if malware could SIMPLY TERMINATE
security products that's gets into their way, then the majority of all
computer users must be really idiots or plain ignorant to start or continue
using personal firewalls including me.
Heck, we EXPECT from a damn good Firewall like CPF to protect its own
proccess and NOT to get shutdown by even the smartest malware.
If this claim aint true I will uninstall CPF from my system immediately.
So are we better off without software firewalls or not? Install them or not?
Even if they arent a panacea wont they provide some layer of security even
if all thay can do is block a DOS attack or a port scan?!
>>>> Personally I feel pretty safe with CPF.
>>>
>>> Feeling safe is not quite the same as being safe.
>>
>> And how exactly do you distinguish between the two modes regarding your
>> security?
>
> By avoiding risks in the first place. By taking an actual look at what's
> going on on the system myself. From an admin account that is unlikely to
> be compromised, because day-to-day work is done from an account with
> limited rights.
> Or by booting a clean system to check the potentially
> compromised system.
How are you accomplishing that? Is there a way to start windows clean by
cd/dvd to check if my installed system is altered from what it was
initially?
> By inspecting the network traffic (with some other
> system) and deciding for myself what traffic is or isn't valid. A
> program cannot make this decision for you.
I agree.
TCPView
WireShark
Proccess explorer I have.
Do I need something else?
But hell even ig I use all those monitoring stuff and firewall are really no
good I will still get infected , wont I?
Nik Gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gj5in3...@news.in-ulm.de...
>
> VanguardLH <V...@nguard.lh> wrote:
>> Perhaps Ansgar and Volker would like to elucidate on they DO use for
>> security software on their own hosts. Not just what upstream
>> appliances they may employ in a more-corporate-like environment but
>> what, say, they use themselves at home or on their laptop (when it
>> roams).
>
> I don't provide services I don't want to provide.
> I don't install software I don't trust.
> I use admin accounts only for admin tasks.
> I use normal user accounts for everything else.
> I keep all of the software on my systems up to date.
So indeed security is a proccess not a product.
Also you don't use firewalls.
And your opinion about using Antivirus products for ie Avast or Avira?!
Ansgar -59cobalt- Wiechers
>> Even if a program could distinguish between good and malicious
>> actions (which it can't): what good would that do, if malware could
>> simply terminate the program trying to detect malicious actions? Yes,
>> programs running with admin privileges can do that, whether you like
>> that fact or not.
>
> If what you say stands TRUE,
It's true under the condition that malware is run under an admin account
which has not been restricted in any significant way.
> especially if malware could SIMPLY TERMINATE security products that's
> gets into their way, then the majority of all computer users must be
> really idiots or plain ignorant to start or continue using personal
> firewalls including me.
Well, if you want to put it that way ...
> Heck, we EXPECT from a damn good Firewall like CPF to protect its own
> proccess and NOT to get shutdown by even the smartest malware.
Well, duh. You expecting something doesn't necessarily mean that your
expectations will be met.
Any administrative account can, by definition, do *anything* on the
system, and so can any software running with the same privileges. To
avoid that you have to reduce the account's privileges. The normal way
to achieve this is to create a normal user account (LUA) for normal work
and using the admin account only for admin tasks.
Some personal firewalls go a different route, because many people still
insist on doing their day-to-day work from an admin account. The PFWs
employ rootkit techniques to restrict administrators, so that even admin
accounts cannot tamper with the personal firewall. That is less than
desireable, because who will be the administrator on your machine when
the administrator account is not the administrator anymore? Even worse,
the rootkit functionality may be (ab)used by malware to disguise itself.
This has already happened in the case of the Sony rootkit [1].
[...]
>>> And how exactly do you distinguish between the two modes regarding
>>> your security?
>>
>> By avoiding risks in the first place. By taking an actual look at
>> what's going on on the system myself. From an admin account that is
>> unlikely to be compromised, because day-to-day work is done from an
>> account with limited rights.
>
>> Or by booting a clean system to check the potentially compromised
>> system.
>
> How are you accomplishing that? Is there a way to start windows clean
> by cd/dvd to check if my installed system is altered from what it was
> initially?
There's BartPE [2] for instance. You could also use a Linux live CD to
examine a Windows system.
>> By inspecting the network traffic (with some other
>> system) and deciding for myself what traffic is or isn't valid. A
>> program cannot make this decision for you.
>
> I agree.
> TCPView
> WireShark
> Proccess explorer I have.
>
> Do I need something else?
First and foremost you need to understand what those programs are
telling you. Without that no tool will do you any good.
Other programs that may be helpful are Autoruns, Regmon/Filemon or
Process Monitor, rootkit detection tools like Rootkit Revealer or
Rootkit Hook Analyzer, Port Reporter, nmap, debuggers and many more.
There is no definitive list, though. Computer forensics is a quite
difficult and complex field.
> But hell even ig I use all those monitoring stuff and firewall are
> really no good I will still get infected , wont I?
You may get infected. There is no way to entirely protect your computer
from that risk if you want to keep using it. You can reduce this risk,
though, and one important step in that direction is to avoid using an
account with admin privileges, because malware running with reduced
privileges cannot compromise other accounts or the entire system.
Also, you don't want to restrict malware after your system was infected.
Instead you want to avoid getting infected in the first place. Keeping
your operating system and software up-to-date is crucial for that. Virus
scanners may also help if you keep in mind that they can only detect the
presence of malware, never the absence of malware. Another thing that
may help are Software Restriction Policies [3].
You said that you often try out new software. That does increase your
risk of getting infected. A way to mitigate this could be to try new
software on a separate system (e.g. a virtual machine) before using it
on your "live" system.
[1] http://en.wikipedia.org/wiki/2005_Sony_BMG_CD_copy_protection_scandal
[2] http://www.nu2.nu/pebuilder/
[3] http://technet.microsoft.com/en-us/library/bb457006.aspx
Ansgar -59cobalt- Wiechers
>>> Perhaps Ansgar and Volker would like to elucidate on they DO use for
>>> security software on their own hosts. Not just what upstream
>>> appliances they may employ in a more-corporate-like environment but
>>> what, say, they use themselves at home or on their laptop (when it
>>> roams).
>>
>> I don't provide services I don't want to provide.
>> I don't install software I don't trust.
>> I use admin accounts only for admin tasks.
>> I use normal user accounts for everything else.
>> I keep all of the software on my systems up to date.
>
> So indeed security is a proccess not a product.
Yes.
> Also you don't use firewalls.
I don't use personal firewalls (because I don't see any need to do so).
I do use firewalls to protect my networks from untrusted networks.
> And your opinion about using Antivirus products for ie Avast or Avira?!
I think antivirus software can be helpful to some extent, because it may
detect the presence of malware. I use the free version of AVG, mainly as
an additional filter for scanning files that go into one of my systems.
However, be aware of the fact that "no threat found" means exactly that:
no threat found. It does not mean "no threat present", because the
program may simply be lacking a signature for a virus.
Heuristics and behavior-based analysis methods try to work around the
limitations of the traditional signature-based approach, but have the
disadvantage of generating considerably more false positives (alerts
when there isn't an actual virus). In my experience that leads to
reduced awareness of the users, since they become accustomed to just
OK-ing the warnings.
Nik Gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gj5tv8...@news.in-ulm.de...
>
> Nik Gr <niko...@gmail.com> wrote:
>> Also you don't use firewalls.
>
> I don't use personal firewalls (because I don't see any need to do so).
> I do use firewalls to protect my networks from untrusted networks.
The reason of you NOT wanting to use personal firewalls in admin accounts is
because they:
a) They wont protect from being infected if you double click an infected
executable that you just downloaded.
b) In case you are infected malware will shut personal firewalls down and
have their way into the system doing the hurm they were created to do just
like when no firewall was installed?
So personal firewalls provide no layer of security?
Should I uninstall CPF?
> Heuristics and behavior-based analysis methods try to work around the
> limitations of the traditional signature-based approach, but have the
> disadvantage of generating considerably more false positives (alerts
> when there isn't an actual virus). In my experience that leads to
> reduced awareness of the users, since they become accustomed to just
> OK-ing the warnings.
Whats the difference between heuristics and behavior-based analysis methods?
Ansgar -59cobalt- Wiechers
>>> Also you don't use firewalls.
>>
>> I don't use personal firewalls (because I don't see any need to do
>> so). I do use firewalls to protect my networks from untrusted
>> networks.
>
> The reason of you NOT wanting to use personal firewalls in admin
> accounts is because they:
>
> a) They wont protect from being infected if you double click an
> infected executable that you just downloaded.
It depends on what the malware is actually doing, but they can't
reliably protect from that. And it's not limited to the user
double-clicking an executable. There are other ways a program can be
executed (e.g. autorun from a CD).
> b) In case you are infected malware will shut personal firewalls down
> and have their way into the system doing the hurm they were created to
> do just like when no firewall was installed?
Not "will", but "may". Like I said above, it depends on what the malware
is actually doing.
There's another reasons why I don't use personal firewalls:
c) The personal firewall is additional code that may contain additional
vulnerabilities, so running a personal firewall may even *create* a
security breach that wouldn't exist without it. This has already
happened ITW (see W32/Witty.worm).
> So personal firewalls provide no layer of security?
They can provide a layer of security in some respects (e.g. when you
can't unbind a service you need from the external interface, or when you
want to use notebook in both trusted and untrusted networks, but don't
want to have to go to the trouble of reconfiguring the services all the
time). However, with the way Windows works, outbound control can never
be done in a reliable way, so I wouldn't agree that personal firewalls
provide a layer of security in that respect.
> Should I uninstall CPF?
That is your decision. All I can say is that I seriously doubt its
usefulness and wouldn't install it on my systems.
>> Heuristics and behavior-based analysis methods try to work around the
>> limitations of the traditional signature-based approach, but have the
>> disadvantage of generating considerably more false positives (alerts
>> when there isn't an actual virus). In my experience that leads to
>> reduced awareness of the users, since they become accustomed to just
>> OK-ing the warnings.
>
> Whats the difference between heuristics and behavior-based analysis
> methods?
Behavior analysis is a subset of heuristics and usually means monitoring
the interaction between program and system for suspicious behavior.
There are other heuristics, though, like checking for self-modifying or
self-decrypting code.
Kayman
> Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
> μήνυμα news:gj5tv8...@news.in-ulm.de...
>>
>> Nik Gr <niko...@gmail.com> wrote:
>
>>> Also you don't use firewalls.
>>
>> I don't use personal firewalls (because I don't see any need to do so).
>> I do use firewalls to protect my networks from untrusted networks.
>
> The reason of you NOT wanting to use personal firewalls in admin accounts is
> because they:
>
> a) They wont protect from being infected if you double click an infected
> executable that you just downloaded.
> b) In case you are infected malware will shut personal firewalls down and
> have their way into the system doing the hurm they were created to do just
> like when no firewall was installed?
>
> So personal firewalls provide no layer of security?
At Least This Snake Oil Is Free.
http://msinfluentials.com/blogs/jesper/archive/2007/07/19/at-least-this-snake-oil-is-free.aspx
Deconstructing Common Security Myths.
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
Scroll down to:
"Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."
Exploring the windows Firewall.
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
"Outbound protection is security theater—it’s a gimmick that only gives the
impression of improving your security without doing anything that actually
does improve your security."
Managing the Windows Vista Firewall
http://technet.microsoft.com/en-us/magazine/cc510323.aspx
"Given the choice between security and sufficiently enticing rewards, like
naked dancing pigs, the naked dancing pigs will win every time because the
vast majority of dialogs asking users to make security decisions are devoid
of any information that would enable them to actually make such a
decision."
(Don't be blinded by marketing!)
> Should I uninstall CPF?
Yes, definitelly!
E.g. a hacker needs a point of access to place viruses and other malware on
a computer. No open ports, no points of access, firewall, or not. Ports are
opened by services! Disable the services, and there are no open ports, no
points of access; even without a firewall.
No open ports = No potential vulnerabilities.
Open ports + firewall = Two potential vulnerabilities.
When you connect your browser to a web site, you give whatever access
permissions are set in your browser to that web site, even with a firewall
in place. Safe browsing depends upon a secure browser!
But because the win f/w is an intergral part of os, keep it enabled, it
won't do any harm.
Bit Twister
> When you connect your browser to a web site, you give whatever access
> permissions are set in your browser to that web site, even with a firewall
> in place. Safe browsing depends upon a secure browser!
Good advice, in the past. Crackers went after services connected to the
internet, firewalls, shut that down. Then they went after Internet
Explorer. People switched to more secure browsers and Micro$not
started fixing their browser. Now crackers are going after the
applications launched by the browser using malware infected data files.
flash, pdf, gif, MP3, WMA, WMV, MP2,...
People slacked off downloading files from unknown sites. Crackers
moved to infecting web sites. People resorted to safe browsing by only
going to reputable web sites. Crackers went after ad servers and cross
site scripting. Reputable web sites are no longer safe.
Av software improved. But were running about 6 weeks behind finding
new malware and getting an update into the AV database.
Crackers bought AV software and when it detected the malware, they
change the code to bypass AV scanner. That was expensive so
they responded with malware which morphs it's signature every hour.
It is a wonder every M$ system is not infected with something.
What is the casual computer user to do. Change to a more secure
operating system like linux.
Do not want to change OS?
Install a Virtual machine like VirtualBox or VMware.
Create a guest machine for web browsing. Never use it for any site
requiring a password. Always close the browser guest without saving,
in case something gets in. Create another guest for each site,
activity requiring a password.
Infection on the browser guest can not get any banking info from the
bank guest. Never go anywhere but bank site in the bank guest.
Close bank guest without saving.
Create separate guests for each email account.
That keeps an infection from an email confined to data for that account only.
Malware can not get other peoples email from the address book.
Remember to export address book and any saved email onto the host
before wiping email guest.
Nik Gr
Ο "Bit Twister" <BitTw...@mouse-potato.com> έγραψε στο μήνυμα
news:slrngldod0.s...@wm81.home.test...
> Crackers bought AV software and when it detected the malware, they
> change the code to bypass AV scanner. That was expensive so
> they responded with malware which morphs it's signature every hour.
Can a malware which is an executable file alter its own process in order to
change its own siganture?
Is this possible?
> It is a wonder every M$ system is not infected with something.
>
> What is the casual computer user to do. Change to a more secure
> operating system like linux.
That would be best, but aint linuxs' and freebsds' also get infected the
same manner?
Whats makes them more safe than windows are?
> Do not want to change OS?
> Install a Virtual machine like VirtualBox or VMware.
You mean inside linux? or inside are actual installed windows?
If you infect yourself why you are using a virtual machine the real windows
system will remain intact?
Cant malware jump outside the virtual machine to infect the host runnign the
VM?
Nik Gr
Ο "Kayman" <kayhkay...@operamail.com> έγραψε στο μήνυμα
news:ma6sx9sgcu1d$.1g563bl3ugxtz$.dlg@40tude.net...
> (Don't be blinded by marketing!)
Thanks very much for the links they were enlighting.
>> Should I uninstall CPF?
>
> Yes, definitelly!
I decided and already uninstalled since iam now convinced that any
self-respectfull malware can trick or disable any running firewall a user
might use.
Comodo might catch a malware executable the minute I try to double click to
install it or it may not, depends on the malware.
Comodo claims that with the use of hips and behaviour-analysis can notify
the user about any attempts an executable tries to perform but then again
cant a malware work beneath the firewall so to shut it down?
What if we use a firewall within a LUA enviroment? Can malwares escape bring
brough to surface as well?
But if they are so clevery designed what stop them to secretly log ogg the
LUA enviroment and login as administrators?
From what I hear malware can do just about everything. So maybe the wont
only trick the firewall but even windows themselves?
> E.g. a hacker needs a point of access to place viruses and other malware
> on
> a computer. No open ports, no points of access, firewall, or not. Ports
> are
> opened by services! Disable the services, and there are no open ports, no
> points of access; even without a firewall.
Agreed by then again is we disable all our services then windows wont be
funcitnal and handy any more would they?
> No open ports = No potential vulnerabilities.
Sure, but even if we disable the browsers outbound port then how will we
broswe the web? or chat or email?
Or if we run a sweb server and close port 80 how will ppl visit our webpage?
> Open ports + firewall = Two potential vulnerabilities.
Yes open ports can be used both form our services but form malware too
firewall yes a threat too because is made out of code and it can contain
security vulnerabilities as well.
Bit Twister
>
>
> Ο "Bit Twister" <BitTw...@mouse-potato.com> έγραψε στο μήνυμα
> news:slrngldod0.s...@wm81.home.test...
>
>> Crackers bought AV software and when it detected the malware, they
>> change the code to bypass AV scanner. That was expensive so
>> they responded with malware which morphs it's signature every hour.
>
> Can a malware which is an executable file alter its own process in order to
> change its own siganture?
> Is this possible?
Sure can. Code runs once, makes copy, updates copy, set new copy to
run, delete self from disk. You might be thinking a program has a
signature. It does not. The signature is what the AV vendor has
decided where something in the file identifies it enough to claim it
as malware.
>> What is the casual computer user to do. Change to a more secure
>> operating system like linux.
>
> Whats makes them more safe than windows are?
Heheheh, over 1 million malware programs for doze, less than 1,000 for
linux and unix combined. What are your odds. :)
99.99% of those *nux/unix exploits were patched years ago.
Think about it, black hats have no access to M$ source code but are
generating malware at about a new one every 20 seconds. :(
With linux they have access to the source so why not a bunch of
malware out there for linux.
FUD throwers would say not enough market share. Yeah, right.
Red Hat has more than 1.5 million paying customers, Suse, more than 2
million. Not counting the free copies downloaded and installed, what
Bot Herder would not want to have a bot net that large.
In a nutshell, you start out with two accounts, root and your user
account. User account can only screw up their files in their account.
Cannot do anything to system files. Only root can mess with system files.
You do nothing but update files and system repair in the root account.
Malware does not get a foot hold in the system unless root is stupid
and surfing the net or installing software from untrusted sites.
>> Do not want to change OS?
>> Install a Virtual machine like VirtualBox or VMware.
>
> You mean inside linux? or inside are actual installed windows?
Yes, check out http://www.virtualbox.org/
> If you infect yourself why you are using a virtual machine the real windows
> system will remain intact?
You install your OS of choice in the virtual machine guest lets call
it "browser" and save it.
When ready to surf the net, click on the browser selection and a few
seconds later you are setting inside the VM guest called browser.
You start doing whatever you like. You get a infection, you may or may
not know it.
No matter, when you quit the guest, everything goes into the bit bucket.
Your host is not infected. If you do not save the current state of the
guest, it is thrown away. Next click of guest, you start with a
clean slate.
> Cant malware jump outside the virtual machine to infect the host runnign the
> VM?
I have seen patches to VM to close those exploits which might allow
that to happen. As a matter of fact, some fancy malware checks to see
if it is running in a virtual machine and if so, play dead.
AV Vendors have spiders and whatnot crawling the web trying to catch
a malware infection. Vendors are usually doing that from a VM guest.
When they find malware, they load it into a test guest to see
what/how it works. Then generate signature(s), plug those into
database and see if scanner can manage/find/undo it.
Kayman
> Ο "Kayman" <kayhkay...@operamail.com> έγραψε στο μήνυμα
> news:ma6sx9sgcu1d$.1g563bl3ugxtz$.dlg@40tude.net...
>
>> (Don't be blinded by marketing!)
>
> Thanks very much for the links they were enlighting.
YW.
>>> Should I uninstall CPF?
>>
>> Yes, definitelly!
>
> I decided and already uninstalled since iam now convinced that any
> self-respectfull malware can trick or disable any running firewall a user
> might use.
Good!
> Comodo might catch a malware executable the minute I try to double click to
> install it or it may not, depends on the malware.
>
> Comodo claims that with the use of hips and behaviour-analysis can notify
> the user about any attempts an executable tries to perform but then again
> cant a malware work beneath the firewall so to shut it down?
Yes, makers of 3rd party firewall applications (PFW) do claim a lot...
> What if we use a firewall within a LUA enviroment? Can malwares escape bring
> brough to surface as well?
The authors of malware are extremely clever!
> But if they are so clevery designed what stop them to secretly log ogg the
> LUA enviroment and login as administrators?
> From what I hear malware can do just about everything. So maybe the wont
> only trick the firewall but even windows themselves?
That may be possible.
>> E.g. a hacker needs a point of access to place viruses and other malware
>> on
>> a computer. No open ports, no points of access, firewall, or not. Ports
>> are
>> opened by services! Disable the services, and there are no open ports, no
>> points of access; even without a firewall.
>
> Agreed by then again is we disable all our services then windows wont be
> funcitnal and handy any more would they?
Well, it's a pc; Configure it safely the way you find most suitable. Thsi
can be a trying and tedious exercise but will bear fruits eventually.
>> No open ports = No potential vulnerabilities.
>
> Sure, but even if we disable the browsers outbound port then how will we
> broswe the web? or chat or email?
> Or if we run a sweb server and close port 80 how will ppl visit our webpage?
In addition to my post of 24-Dec-08 3:56:38 PM, check this:
Configuring NT-services much more secure.
http://www.ntsvcfg.de/ntsvcfg_eng.html
>> Open ports + firewall = Two potential vulnerabilities.
>
> Yes open ports can be used both form our services but form malware too
> firewall yes a threat too because is made out of code and it can contain
> security vulnerabilities as well.
Right.
Nik Gr
Ο "Kayman" <kayhkay...@operamail.com> έγραψε στο μήνυμα
news:8imdss8vsy4m$.vouer3wzi8pl$.dlg@40tude.net...
>> Comodo might catch a malware executable the minute I try to double click
>> to
>> install it or it may not, depends on the malware.
>>
>> Comodo claims that with the use of hips and behaviour-analysis can notify
>> the user about any attempts an executable tries to perform but then again
>> cant a malware work beneath the firewall so to shut it down?
>
> Yes, makers of 3rd party firewall applications (PFW) do claim a lot...
So you agree with me that a malware can run in a lower ring level than the
opposed firewall, a ring level which the firewall its only a process for the
malware to kill and nothing more.
Damn, cant 3rd party firewall vendors protect their products from something
like that? They are aware of that case, so how they do counteract?
>> What if we use a firewall within a LUA enviroment? Can malwares escape
>> bring
>> brough to surface as well?
>
> The authors of malware are extremely clever!
LUA WON'T protect us either?!!?!?
>> But if they are so clevery designed what stop them to secretly log ogg
>> the
>> LUA enviroment and login as administrators?
>> From what I hear malware can do just about everything. So maybe the wont
>> only trick the firewall but even windows themselves?
>
> That may be possible.
Cant it do the same thing with windows firewall as well? Then HOW stay safe?
>> Agreed by then again is we disable all our services then windows wont be
>> funcitnal and handy any more would they?
>
> Well, it's a pc; Configure it safely the way you find most suitable. Thsi
> can be a trying and tedious exercise but will bear fruits eventually.
Even if I try any possible type of configuration some ports MUST remain open
in order for some must-run services to work.
I strongly believe that we , users are unprotectable since:
a) We have to open ports so our services communicate with the outer world,
or even if we don't run services some local ports will always be opened for
traffic to create listenign sockets. As we, users use them, so malware can
use them too.
b) Firewalls DON'T help at all, not before infection, not afterwards. Its
fruitless to sue them
c) LUA will fails us too since malware can escape even from a resticted
enviroment as a standard user account is and then log in as admin
themselves.
BOTTTOMLINE IS USERS ARE DOOMED TO BE INFECTED.
Ansgar -59cobalt- Wiechers
> "Bit Twister" <BitTw...@mouse-potato.com> wrote:
>> Crackers bought AV software and when it detected the malware, they
>> change the code to bypass AV scanner. That was expensive so
>> they responded with malware which morphs it's signature every hour.
>
> Can a malware which is an executable file alter its own process in
> order to change its own siganture?
> Is this possible?
http://en.wikipedia.org/wiki/Polymorphic_code
>> It is a wonder every M$ system is not infected with something.
>>
>> What is the casual computer user to do. Change to a more secure
>> operating system like linux.
>
> That would be best, but aint linuxs' and freebsds' also get infected
> the same manner?
> Whats makes them more safe than windows are?
Nothing. That's just stupid superstition. Linux and the BSDs have better
default settings than Windows, but once you changed the defaults (like,
don't work with admin/root privileges, shut down services you don't want
to provide, etc.), even Windows is reasonably secure.
>> Do not want to change OS?
>> Install a Virtual machine like VirtualBox or VMware.
>
> You mean inside linux? or inside are actual installed windows?
The host operating system doesn't matter. Virtual machines can be used
as sandboxes to confine suspicious software to the guest OS so that it
won't be able to tamper with the host OS. Although they are not 100%
escape-proof, they significantly raise the bar for the attacker.
> If you infect yourself why you are using a virtual machine the real
> windows system will remain intact?
Yes.
> Cant malware jump outside the virtual machine to infect the host
> runnign the VM?
There are ways malware might break out of a VM. It's far more difficult
than "simply" infecting the "normal" operating system, though.
Ansgar -59cobalt- Wiechers
> On Sun, 28 Dec 2008 20:34:41 +0200, Nik Gr wrote:
>> "Bit Twister" <BitTw...@mouse-potato.com> wrote:
>>> What is the casual computer user to do. Change to a more secure
>>> operating system like linux.
>>
>> Whats makes them more safe than windows are?
>
> Heheheh, over 1 million malware programs for doze, less than 1,000 for
> linux and unix combined. What are your odds. :)
Since none of my Windows systems got infected in the past 10 years:
pretty good I'd say. Provided you know what you're doing.
Nik Gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gjad0o...@news.in-ulm.de...
> Nothing. That's just stupid superstition. Linux and the BSDs have better
> default settings than Windows, but once you changed the defaults (like,
> don't work with admin/root privileges, shut down services you don't want
> to provide, etc.), even Windows is reasonably secure.
There are still points of access(ports) that open window or user-bases
services use that a malware on a system can utilize to wreck havoc?
Firewalls are fruitless cine they can be tricked or shut down.
LUAs' won't help either since a malware can elevate its own privileges
AVs' delay 1,5 months on average to slip new signatires onto their virus
recognitionn databases so the hurm in asystem is already donw by 0-day
exploits.
The only way a system can remain safe as I see it is if ALL its PORTS remain
closed, but then it ant a functional OS any more.
Since That cannot happen WE ARE ALL DOOMED to GET INFECTED.
And, NO, even if having ALL the above security products provide
ypothetically some sense(a false one) and layer of security, then why almost
any damn windows host on earth is infected?
Hell, we are still about to get infected by any zero day
worm/virus/trojan/sec vuln, why pay for security products? We can GET
INFECTED FOR FREE!!!
Ansgar -59cobalt- Wiechers
>> better default settings than Windows, but once you changed the
>> defaults (like, don't work with admin/root privileges, shut down
>> services you don't want to provide, etc.), even Windows is reasonably
>> secure.
>
> There are still points of access(ports) that open window or user-bases
> services use that a malware on a system can utilize to wreck havoc?
There is no difference between Windows and Linux in this respect.
Services that are accessible from the outside can be attacked from the
outside.
> Firewalls are fruitless cine they can be tricked or shut down.
Where did you get that idea?
Firewalls can reliably filter inbound traffic. However, if you don't run
services you don't want to provide, you don't need to filter anything in
the first place. You also don't have to run additional code (the
firewall) that may contain additional exploitable bugs. Therefore you
usually don't need a host-based firewall to filter inbound traffic.
Firewalls cannot reliably filter outbound traffic (unless you're
strictly whitelisting the traffic, maybe). Even less, if your account
has admin privileges. Once malware is executed on your system with admin
privileges, you're screwed. Period. It doesn't matter that there's a
chance that the malware may not have tampered with your system. You
simply cannot be sure unless you are able to verify the integrity of the
registry and every single library and executable file on the system.
> LUAs' won't help either since a malware can elevate its own privileges
Where did you get that idea?
All privilege elevation attacks rely on the existence of vulnerabilities
in software running with elevated privileges. That can be configuration
errors, bugs or design flaws. You mitigate this risk both by proper
configuration and keeping your software up-to-date.
> AVs' delay 1,5 months on average to slip new signatires onto their virus
> recognitionn databases so the hurm in asystem is already donw by 0-day
> exploits.
Where did you get that idea?
That's simply not true. However, for signature-based scanners to be able
to detect malware, the vendor first needs to become aware of the malware
(and get their hands on a sample). So there is some delay, and scanners
won't be able to detect every possible malware.
> The only way a system can remain safe as I see it is if ALL its PORTS
> remain closed, but then it ant a functional OS any more.
Where did you get that idea?
You can close virtually all ports without losing functionality. You have
already been referred to [1]. There's also a program with a nice GUI [2]
doing the same thing.
> Since That cannot happen WE ARE ALL DOOMED to GET INFECTED.
I've been using Windows for more than 10 years now and haven't been
infected once, so I can't really confirm that.
> And, NO, even if having ALL the above security products provide
> ypothetically some sense(a false one) and layer of security, then why
> almost any damn windows host on earth is infected?
Because people still
- work with admin privileges
- provide services they don't actually want to provide
- don't keep their software up-to-date
- run software without even thinking about whether that may be a good
idea or not (like, opening encrypted attachments from e-mails)
...
> Hell, we are still about to get infected by any zero day
> worm/virus/trojan/sec vuln, why pay for security products? We can GET
> INFECTED FOR FREE!!!
What's your point? You seem to be looking for some kind of "make my
system invulnerable to any kind of threat" solution. Well, guess what:
there ain't no such thing.
[1] http://www.ntsvcfg.de/ntsvcfg_eng.html
[2] http://www.dingens.org/index.html.en
Kayman
<big snip>
> BOTTTOMLINE IS USERS ARE DOOMED TO BE INFECTED.
You are much too pessimistic but then again paranoia can be a healthy
approach to compute safely :)
We can talk about this issue till the cows come home. There is no perfect
operating system on the market. It is up to you to make it safe and secure
to suit your personal computing/browsing habits.
And there is no silver bullet; But running a LUA is one of the best way of
running an os safely.
A fully patched windows (NT) system is more secure (has less
vulnerabilities) than a fully patched windows system with a 3rd party
firewall (PFW) added to it.
Even updating the OS is not enough. You have to make sure all other
applications are patched as well to mitigate vulnerabilities.
Security cannot be guaranteed. It's all about balancing risk. But I would
at any time prefer a LUA approach to any security product which requires
you to run as Administrator.
You're already a big step ahead for understanding that the claim made by
most makers of PFW's that outbound traffic control is a vital part of
Internet Security is misleading, outrages and false!
You have received some good links authored by well respected Internet
experts for you to read and excellent advice especially from A50c-W, it's
now up to you to implement accordingly.
After you got used to your 'secured' operating system and browse
responsibly, you may even find that you can get by without AV application
and utilize monitoring tools such as AutoRuns and ProcessExplorer instead.
Also, ensure you Back-Up regularly; Develop a Contingency Plan; Be
prepared! Consider "What if..."
Familiarize yourself with crash recovery tools and re-installing your
operating system; Don't get caught flat-footed.
(As a side note, I can flatten and rebuild my os in about than 3 hours;
This beats scanning/updating with 'sophisticated/complex' AV apps.)
Most computer magazines and/or (computer) specialized websites are *biased*
i.e. heavily weighted towards the (advertisement) dollar almighty!
Make it a habit checking credentials of authors writing articles/messages
in advertisement sponsored publications and take commercial messages with a
ton of salt.
How Security Companies Sucker Us With Lemons.
http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419
http://www.schneier.com/index.html
Good luck :)
Ansgar -59cobalt- Wiechers
> then again paranoia can be a healthy approach to compute safely :)
No, it can't. Paranoia is by definition irrational fear. That does not
help with computer security at all. In order to gain security you have
to identify threats, break them down into manageable scenarios, and then
find countermeasures to mitigate the risks the threats pose (or decide
that you'll live with the risk). Paranoia will only get in the way,
because it will prevent you from analyzing the situation in a rational
way.
Be cautious. Be defensive. Do not be paranoid.
Nik Gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gjalqa...@news.in-ulm.de...
>> Firewalls are fruitless cine they can be tricked or shut down.
>
> Where did you get that idea?
>
> Firewalls can reliably filter inbound traffic. However, if you don't run
> services you don't want to provide, you don't need to filter anything in
> the first place. You also don't have to run additional code (the
> firewall) that may contain additional exploitable bugs. Therefore you
> usually don't need a host-based firewall to filter inbound traffic.
If you don't want to run services ok.
But if you want to run a wev server or an ftp server and mayve a ssh server
and mysql server then wont you agree that proper configuration of those
services made by the user aint enough and a good firewall filtering inbounf
traffic must be used?!
> Firewalls cannot reliably filter outbound traffic
Agreed as the links you provide me tells me. Bu then again still they migth
catch some types of outbound malware traffic. Thts better from nothing.
>> AVs' delay 1,5 months on average to slip new signatires onto their virus
>> recognitionn databases so the hurm in asystem is already donw by 0-day
>> exploits.
>
> Where did you get that idea?
>
> That's simply not true. However, for signature-based scanners to be able
> to detect malware, the vendor first needs to become aware of the malware
> (and get their hands on a sample). So there is some delay, and scanners
> won't be able to detect every possible malware.
Why not True? I can get infected tonight by some webpage and 1,5 months
later my AV will notify me that I have virus installed on my pc. Hurm done.
>> The only way a system can remain safe as I see it is if ALL its PORTS
>> remain closed, but then it ant a functional OS any more.
>
> Where did you get that idea?
>
> You can close virtually all ports without losing functionality. You have
> already been referred to [1]. There's also a program with a nice GUI [2]
> doing the same thing.
>
>> Since That cannot happen WE ARE ALL DOOMED to GET INFECTED.
>
> I've been using Windows for more than 10 years now and haven't been
> infected once, so I can't really confirm that.
>
>> And, NO, even if having ALL the above security products provide
>> ypothetically some sense(a false one) and layer of security, then why
>> almost any damn windows host on earth is infected?
>
> Because people still
>
> - work with admin privileges
> - provide services they don't actually want to provide
> - don't keep their software up-to-date
> - run software without even thinking about whether that may be a good
> idea or not (like, opening encrypted attachments from e-mails)
I will do this.
Iam palling to run a wev server though and ssh server.
I plan to use a firewall to filter inbound traffic. Shouldn't I?
AV perhaps?
Ansgar -59cobalt- Wiechers
>>
>> Where did you get that idea?
>>
>> Firewalls can reliably filter inbound traffic. However, if you don't
>> run services you don't want to provide, you don't need to filter
>> anything in the first place. You also don't have to run additional
>> code (the firewall) that may contain additional exploitable bugs.
>> Therefore you usually don't need a host-based firewall to filter
>> inbound traffic.
>
> If you don't want to run services ok. But if you want to run a wev
> server or an ftp server and mayve a ssh server and mysql server then
> wont you agree that proper configuration of those services made by the
> user aint enough and a good firewall filtering inbounf traffic must be
> used?!
Uh... what? Filtering traffic with a firewall means that you're not
accepting connections to your service. If you don't want to accept
connections to your service: why are you running it in the first place?
If you do want to accept connections to your service: how would the
firewall be protecting the service if it's passing on the packets
anyway?
Besides, services are configured by the administrator, not by the user.
>> Firewalls cannot reliably filter outbound traffic
>
> Agreed as the links you provide me tells me. Bu then again still they
> migth catch some types of outbound malware traffic. Thts better from
> nothing.
It isn't reliable. Plus, it can only detect malware *after* it already
was executed. In which case you're already screwed.
>>> AVs' delay 1,5 months on average to slip new signatires onto their
>>> virus recognitionn databases so the hurm in asystem is already donw
>>> by 0-day exploits.
>>
>> Where did you get that idea?
>>
>> That's simply not true. However, for signature-based scanners to be
>> able to detect malware, the vendor first needs to become aware of the
>> malware (and get their hands on a sample). So there is some delay,
>> and scanners won't be able to detect every possible malware.
>
> Why not True? I can get infected tonight by some webpage and 1,5
> months later my AV will notify me that I have virus installed on my
> pc. Hurm done.
It usually takes something from a couple hours to a couple days for new
signatures to become available. Also, like I said before, virus scanners
can only detect the *presence* of malware. They can *never* detect the
*absence* of malware. Anything that doesn't raise an alarm could still
contain malware that isn't yet known.
[...]
> Iam palling to run a wev server though and ssh server.
>
> I plan to use a firewall to filter inbound traffic. Shouldn't I?
What for? Which attack scenarios do you see and how would a firewall
protect you from them?
> AV perhaps?
What for? Which attack scenarios do you see and how would a virus
scanner protect you from them?
Nik Gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gjb9qu...@news.in-ulm.de...
>>> Firewalls can reliably filter inbound traffic. However, if you don't
>>> run services you don't want to provide, you don't need to filter
>>> anything in the first place. You also don't have to run additional
>>> code (the firewall) that may contain additional exploitable bugs.
>>> Therefore you usually don't need a host-based firewall to filter
>>> inbound traffic.
>>
>> If you don't want to run services ok. But if you want to run a wev
>> server or an ftp server and mayve a ssh server and mysql server then
>> wont you agree that proper configuration of those services made by the
>> user aint enough and a good firewall filtering inbounf traffic must be
>> used?!
>
> Uh... what? Filtering traffic with a firewall means that you're not
> accepting connections to your service. If you don't want to accept
> connections to your service: why are you running it in the first place?
> If you do want to accept connections to your service: how would the
> firewall be protecting the service if it's passing on the packets
> anyway?
I though that firewalls can block malicious per application traffic(tcp/udp
packets) so to "filter" the valid stuff from the bad stuff.
Doesn't filter mean distinguish?!
It instead means block?
If I say I filter traffic with comodo on port 80 you mean it means blocking
all incoming traffic to port 80? not sorting out?!
> Besides, services are configured by the administrator, not by the user.
What is your point by that argument?
>>> Firewalls cannot reliably filter outbound traffic
>>
>> Agreed as the links you provide me tells me. Bu then again still they
>> migth catch some types of outbound malware traffic. Thts better from
>> nothing.
>
> It isn't reliable. Plus, it can only detect malware *after* it already
> was executed. In which case you're already screwed.
Maybe it can detect them when they are tryign to run in the 1st place by
analyzing them and ask them if we allow them or not. Not all of them but
some of them.
>>>> AVs' delay 1,5 months on average to slip new signatires onto their
>>>> virus recognitionn databases so the hurm in asystem is already donw
>>>> by 0-day exploits.
>>>
>>> Where did you get that idea?
>>>
>>> That's simply not true. However, for signature-based scanners to be
>>> able to detect malware, the vendor first needs to become aware of the
>>> malware (and get their hands on a sample). So there is some delay,
>>> and scanners won't be able to detect every possible malware.
>>
>> Why not True? I can get infected tonight by some webpage and 1,5
>> months later my AV will notify me that I have virus installed on my
>> pc. Hurm done.
>
> It usually takes something from a couple hours to a couple days for new
> signatures to become available. Also, like I said before, virus scanners
> can only detect the *presence* of malware. They can *never* detect the
> *absence* of malware. Anything that doesn't raise an alarm could still
> contain malware that isn't yet known.
So even if AV vendors fall back 2 hours before update their sig databases,
what good will it be since we will already be infected?
>> Iam palling to run a wev server though and ssh server.
>>
>> I plan to use a firewall to filter inbound traffic. Shouldn't I?
>
> What for? Which attack scenarios do you see and how would a firewall
> protect you from them?
As you said firewalls can reliably protect our inbound traffic, that's
reason 1.
And maybe thay can help limit the infection by blocking suspicious outbound
traffic of not so clever malware attempts. Correct?
>> AV perhaps?
>
> What for? Which attack scenarios do you see and how would a virus
> scanner protect you from them?
It can't protect me form 0-day expl0its, BUT it can still help me remove
known types of infections using its sig database. Correct?
Sorry for repeating my self but I need to make myself very clear if I MUST
or MUST NOT use fw and avs.
Iam deploying to you my way of thinkign so you can give the green or red
light respectively along with reasons I can understand.
Thank you for your provided help up until now and they future one(hopefully
to another thread since this has to end sometime ;)
Ansgar -59cobalt- Wiechers
>>> server or an ftp server and mayve a ssh server and mysql server then
>>> wont you agree that proper configuration of those services made by
>>> the user aint enough and a good firewall filtering inbounf traffic
>>> must be used?!
>>
>> Uh... what? Filtering traffic with a firewall means that you're not
>> accepting connections to your service. If you don't want to accept
>> connections to your service: why are you running it in the first
>> place? If you do want to accept connections to your service: how
>> would the firewall be protecting the service if it's passing on the
>> packets anyway?
>
> I though that firewalls can block malicious per application
> traffic(tcp/udp packets) so to "filter" the valid stuff from the bad
> stuff.
Packet level filters can't do that. You need application level filters
for every protocol in question to do that kind of thing. Apache running
as a reverse proxy with mod_security is an example for a setup to filter
HTTP traffic in that way.
> Doesn't filter mean distinguish?!
> It instead means block?
For personal firewalls it usually means block, yes. There may be
exceptions, but I have to see one yet.
> If I say I filter traffic with comodo on port 80 you mean it means
> blocking all incoming traffic to port 80? not sorting out?!
You are the one using Comodo, so you tell me. It's what I would expect,
though.
>> Besides, services are configured by the administrator, not by the user.
>
> What is your point by that argument?
It's merely a correction to your statement.
>>> Agreed as the links you provide me tells me. Bu then again still
>>> they migth catch some types of outbound malware traffic. Thts better
>>> from nothing.
>>
>> It isn't reliable. Plus, it can only detect malware *after* it
>> already was executed. In which case you're already screwed.
>
> Maybe it can detect them when they are tryign to run in the 1st place
> by analyzing them and ask them if we allow them or not. Not all of
> them but some of them.
That's what virus scanners are for. Personal firewalls try to restrict a
program after it actually got executed. Did I mention that you're
already screwed at that point?
>>> I can get infected tonight by some webpage and 1,5 months later my
>>> AV will notify me that I have virus installed on my pc. Hurm done.
>>
>> It usually takes something from a couple hours to a couple days for
>> new signatures to become available. Also, like I said before, virus
>> scanners can only detect the *presence* of malware. They can *never*
>> detect the *absence* of malware. Anything that doesn't raise an alarm
>> could still contain malware that isn't yet known.
>
> So even if AV vendors fall back 2 hours before update their sig
> databases, what good will it be since we will already be infected?
You are able to sort out already known malware. Should (in addition to
that) the scanner detect an infection later on (because the signatures
were updated and the malware didn't fuck up the scanner), you'll know
that you're screwed and need to reinstall your system. Or re-create your
profile in case only a normal user account was affected.
>>> Iam palling to run a wev server though and ssh server.
>>>
>>> I plan to use a firewall to filter inbound traffic. Shouldn't I?
>>
>> What for? Which attack scenarios do you see and how would a firewall
>> protect you from them?
>
> As you said firewalls can reliably protect our inbound traffic, that's
> reason 1.
As explained above, packet level filtering can't do what you seem to
expect. Application level filtering probably can, but it has other
disadvantages:
a) It increases the latency of all connections, because packet
reassembly and inspection take up time.
b) Additional code means additional, possibly exploitable bugs. I
already mentioned the case of W32/Witty.worm before.
c) The additional configuration required for this kind of filtering will
significantly increase your administrative workload.
> And maybe thay can help limit the infection by blocking suspicious
> outbound traffic of not so clever malware attempts. Correct?
Maybe, maybe not. I already explained that this is not reliable, and
thus not a security measure. I also explained before, that the
additional code needed for inspecting/blocking the traffic may *lead* to
an infection.
>>> AV perhaps?
>>
>> What for? Which attack scenarios do you see and how would a virus
>> scanner protect you from them?
>
> It can't protect me form 0-day expl0its, BUT it can still help me remove
> known types of infections using its sig database. Correct?
No. It can help you detect infections. As for removing an infection,
there are only two reliable ways to achieve that:
a) Determine exactly when the infection occurred and what was altered on
the system afterwards (files and registry), and then take back those
alterations.
b) Reinstall the system from known-good media and restore your data from
the latest backup.
http://technet.microsoft.com/en-us/library/cc512587.aspx
> Sorry for repeating my self but I need to make myself very clear if I
> MUST or MUST NOT use fw and avs.
It's neither "must" nor "must not". From what you have written up to now
I don't see a necessity for you to run either of them, but the decision
whether you want to use any of these is up to you. I can only point out
what advantages or disadvantages I see with using them.
> Iam deploying to you my way of thinkign so you can give the green or
> red light respectively along with reasons I can understand.
Sorry, but I know way too little of your actual setup and requirements
to give that kind of advice. And I'd have to charge you if you wanted me
to look into this matter that deeply.
Nik Gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gjbi54...@news.in-ulm.de...
> You are able to sort out already known malware. Should (in addition to
> that) the scanner detect an infection later on (because the signatures
> were updated and the malware didn't fuck up the scanner), you'll know
> that you're screwed and need to reinstall your system. Or re-create your
> profile in case only a normal user account was affected.
When on LUA ones get infected that means that the only damage that can take
place is the files within the user account?
Other users account on the same pc and system files remain intact?
So if we are infected on LUA we just delete this user account for good and
create another one with the same name under our admin account?
> a) Determine exactly when the infection occurred and what was altered on
> the system afterwards (files and registry), and then take back those
> alterations
How? You can get infected without knowing you are at the time, so it would
be even more difficult to actually find alternation to files and registry?
That can only happen in my opinion if you can compare your current state of
your OS to an actual clean one.
If this can happen I wan to know how.
> No. It can help you detect infections. As for removing an infection,
> there are only two reliable ways to achieve that:
Okey it cant detect zero exploits, I agree with you.
Also you are saying that an AV can't successfully remove an infection by
deleteting infected files?
And the reason is because you believe that if the system was infected by
unknown malware, one that AVs cant detect at the time, the malware except
damaging windows itself will damage the AV mechanism as well?
If this is true then ALL AVs are futile to use, because they cant help
protect our pc and cant clean them also.
Why peple buy antivirus apps?
Ansgar -59cobalt- Wiechers
>> to that) the scanner detect an infection later on (because the
>> signatures were updated and the malware didn't fuck up the scanner),
>> you'll know that you're screwed and need to reinstall your system. Or
>> re-create your profile in case only a normal user account was
>> affected.
>
> When on LUA ones get infected that means that the only damage that can
> take place is the files within the user account?
All files that user has write access to. However, since users normally
shouldn't have write access to executables, libraries and configurations
outside their profile it's basically their profile, yes.
> Other users account on the same pc and system files remain intact?
Yes. That is the main reason for using LUA.
> So if we are infected on LUA we just delete this user account for good
> and create another one with the same name under our admin account?
You don't even have to delete the account. Just delete the profile (or
rename it, so you can recover non-infected data from it, do forensic
examinations, etc.).
>> a) Determine exactly when the infection occurred and what was altered
>> on the system afterwards (files and registry), and then take back
>> those alterations
>
> How? You can get infected without knowing you are at the time, so it
> would be even more difficult to actually find alternation to files and
> registry?
Well, that's the tricky part. You need to have a baseline to compare
against, e.g. checksums for all files and dumps of the relevant parts
of the registry, so you can compare. You can't simply compare checksums
of the files the registry is stored in, because Windows stores a lot of
dynamic stuff in it, so it's constantly changing.
> That can only happen in my opinion if you can compare your current
> state of your OS to an actual clean one.
> If this can happen I wan to know how.
See above. Yes, that means a *lot* of maintenance.
>> No. It can help you detect infections. As for removing an infection,
>> there are only two reliable ways to achieve that:
>
> Okey it cant detect zero exploits, I agree with you.
>
> Also you are saying that an AV can't successfully remove an infection
> by deleteting infected files?
You can't be sure of that (unless you have a known-good baseline to
compare against). Read the link I provided for an explanation as to why
that is.
> And the reason is because you believe that if the system was infected
> by unknown malware, one that AVs cant detect at the time, the malware
> except damaging windows itself will damage the AV mechanism as well?
Again it's "may", not "will". However, the problem is that you can never
be sure that the malware hasn't tampered with the AV software (in case
the malware was run with admin privileges, that is). And that's only one
of the reasons.
> If this is true then ALL AVs are futile to use, because they cant help
> protect our pc and cant clean them also.
>
> Why peple buy antivirus apps?
Because the vendors spend a lot of money on talking people into buying
their stuff?
Nik Gr
Ο "Ansgar -59cobalt- Wiechers" <usene...@planetcobalt.net> έγραψε στο
μήνυμα news:gjd6v2...@news.in-ulm.de...
>> So if we are infected on LUA we just delete this user account for good
>> and create another one with the same name under our admin account?
>
> You don't even have to delete the account. Just delete the profile (or
> rename it, so you can recover non-infected data from it, do forensic
> examinations, etc.).
Currently iam logged in on windows vista as standard user "nik" but I'm a
member of admin groups.
Where can I see my profile so to alter it or delete it?
What the difference betweena user account and a user profile?
Where are profiles stored?
Will I be safe if every time I egt infected I delete my user profile?
>>> a) Determine exactly when the infection occurred and what was altered
>>> on the system afterwards (files and registry), and then take back
>>> those alterations
>>
>> How? You can get infected without knowing you are at the time, so it
>> would be even more difficult to actually find alternation to files and
>> registry?
>
> Well, that's the tricky part. You need to have a baseline to compare
> against, e.g. checksums for all files and dumps of the relevant parts
> of the registry, so you can compare. You can't simply compare checksums
> of the files the registry is stored in, because Windows stores a lot of
> dynamic stuff in it, so it's constantly changing.
Isn't there some Windows application or console command that will compare my
current system files to clean ones on my dvd and re-overwrite the tampered
files with its initial clean versions?
I leave alone the dump registry part. sicne the user installed programs and
there is no way current registry size be the same as the after format
registry.
baseline = a measure of cmparisation?
checksum = comparisation of sizes between 2 files?
And last, I think ill just leave my routers hardware firewall enabled to
filter(sort out) connections but an application level software firewall with
statefull packet inspection would help as well, yes? I'm talking only for
inbound protection.
Kayman
> Thanks very much for the links they were enlighting.
Here are some more good-quality articles authored by Jesper M. Johansson
for you to read during the holidays :)
Security Watch Revisiting the 10 Immutable Laws of Security, Part 1
http://technet.microsoft.com/en-us/magazine/2008.10.securitywatch.aspx
Security Watch Revisiting the 10 Immutable Laws of Security, Part 2
http://technet.microsoft.com/en-us/magazine/2008.11.securitywatch.aspx?=blog
Security Watch Revisiting the 10 Immutable Laws of Security, Part 3
http://technet.microsoft.com/en-us/magazine/dd228983.aspx?pr=blog
Happy New Year :)
Nik Gr
Ο "Kayman" <kayhkay...@operamail.com> έγραψε στο μήνυμα
news:qrzag8x74lj3.10...@40tude.net...
Thank you very mich for the additional links you provided me. (are there the
same articles in greek pehaps?)
> Happy New Year :)
And a Happy New and Fruitfull year to you too my friend!
Ansgar -59cobalt- Wiechers
>>> good and create another one with the same name under our admin
>>> account?
>>
>> You don't even have to delete the account. Just delete the profile
>> (or rename it, so you can recover non-infected data from it, do
>> forensic examinations, etc.).
>
> Currently iam logged in on windows vista as standard user "nik" but
> I'm a member of admin groups. Where can I see my profile so to alter
> it or delete it?
The profile is your user's directory in the "Documents and Settings"
folder. Open Explorer, click in the address bar, type %USERPROFILE% and
press <Enter>.
> What the difference betweena user account and a user profile?
The profile is the directory where all of a user's configuration and
data is stored. The account is the information Windows maintains for
managing the user (username, password, location of the profile, etc.).
> Where are profiles stored?
"%SystemDrive%\Documents and Settings"
> Will I be safe if every time I egt infected I delete my user profile?
Normally you will. Provided your account didn't have elevated
privileges.
However, since right now your account does have admin privileges, you
have to take something else into consideration. Until Windows 2000
objects created by members of the group "Administrators" were owned by
the group rather than the individual user. This was changed in XP and I
presume also in Vista. Since your user "nik" has admin privileges, this
user is the owner of all files/folders he created (e.g. when installing
a program). Because of this ownership, that user will still have full
access to those files/folders, even if you remove the user from the
group "Administrators". If you don't change this, malware run by the
user "nik" may still be able to compromise stuff outside the user's
profile because of that.
You can:
- delete that user entirely and create a new limited user from the
administrator account
- use that account as your admin account and create a new limited user
- change the ownership of files/folders under %Program Files% and
%SystemRoot% to the group "Administrators"
In any case you should change the default ownership of objects created
by members of the group "Administrators" to that group (there's a
security option for that, which you can change with gpedit.msc).
Also I'd strongly recommend to change the default permissions on
%SystemDrive% to full access for administrators and SYSTEM and read-only
access for normal users or authenticated users. See the link below for
an explanation of the reason why.
http://www.microsoft.com/technet/security/bulletin/MS02-064.mspx
>>>> a) Determine exactly when the infection occurred and what was
>>>> altered on the system afterwards (files and registry), and then
>>>> take back those alterations
>>>
>>> How? You can get infected without knowing you are at the time, so it
>>> would be even more difficult to actually find alternation to files
>>> and registry?
>>
>> Well, that's the tricky part. You need to have a baseline to compare
>> against, e.g. checksums for all files and dumps of the relevant parts
>> of the registry, so you can compare. You can't simply compare
>> checksums of the files the registry is stored in, because Windows
>> stores a lot of dynamic stuff in it, so it's constantly changing.
>
> Isn't there some Windows application or console command that will
> compare my current system files to clean ones on my dvd and
> re-overwrite the tampered files with its initial clean versions?
No. Windows' system files are digitally signed, and you can verify the
signature with sigverif.exe, but you need to do that from a known-good
system, and it won't check the registry and any other file except for
Windows system files.
> I leave alone the dump registry part. sicne the user installed
> programs and there is no way current registry size be the same as the
> after format registry.
>
> baseline = a measure of cmparisation?
baseline = a set of checksums
> checksum = comparisation of sizes between 2 files?
http://en.wikipedia.org/wiki/Checksum
Normally you'd use a cryptographic hash function for this kind of
checksum:
http://en.wikipedia.org/wiki/Cryptographic_hash_function
> And last, I think ill just leave my routers hardware firewall enabled
> to filter(sort out) connections but an application level software
> firewall with statefull packet inspection would help as well, yes?
If the router does stateful packet inspection, you don't need a software
firewall to do it again. Make sure, though, that you disable UPnP on
your router, and set a good password.